- Puppet 5 Essentials(Third Edition)
- Martin Alfke Felix Frank
- 342字
- 2021-07-02 18:22:26
Renewing an agent's certificate
Sometimes, it is necessary during an agent machine's life cycle to regenerate its certificate and related data. The reasons for this can include data loss, human error, or certificate expiration, among others. The regeneration is achieved through the following steps:
- Performing the regeneration is quite simple: all relevant files are kept at /etc/puppetlabs/puppet/ssl (for Puppet 3.x, this is /var/lib/puppet/ssl) on the agent machine.
- Once these files are removed (or rather, the whole ssl/ directory tree), Puppet will renew everything on the next agent run. Of course, a new certificate must be signed. This requires some preparation; just initiating the request from the agent will fail:
root@agent# puppet agent –test
Info: Creating a new SSL key for agent
Info: Caching certificate for ca
Info: Caching certificate for agent.example.net
Error: Could not request certificate: The certificate retrievedfrom the master does not match the agent's private key.
Certificate fingerprint: 6A:9F:12:C8:75:C0:B6:10:45:ED:C3:97:24:CC:98:F2:B6:1A:B5: 4C:E3:98:96:4F:DA:CD:5B:59:E0:7F:F5:E6
The master still has the old certificate cached. This is a simple protection against the impersonation of your agents by unauthorized entities.
- To fix this, remove the certificate from both the master and the agent and then start a Puppet run, which will automatically regenerate a certificate:
- On the master, use the following:
puppet cert clean agent.example.net
-
- On the agent, use the following:
- On most platforms, use the following:
find /etc/puppetlabs/puppet/ssl -name agent.example.net.pem –delete
-
- On Windows, use the following:
del "/etc/puppetlabs/puppet/ssl/agent.example.net.pem" /f
puppet agent –t
Exiting; failed to retrieve certificate and waitforcert is disabled
- Once you perform the cleanup operation on the master, as advised in the preceding output, and remove the indicated file from the agent machine, the agent will be able to successfully place its new CSR:
root@puppetmaster# puppet cert clean agent
Notice: Revoked certificate with serial 18
Notice: Removing file Puppet::SSL::Certificate agent at '/etc/puppetlabs/ puppet/ssl/ca/signed/agent.pem'
Notice: Removing file Puppet::SSL::Certificate agent at '/etc/puppetlabs/ puppet/ssl/certs/agent.pem'
The rest of the process is identical to the original certificate creation. The agent uploads its CSR to the master, where the certificate is created through the puppet cert sign command.
推薦閱讀
- Java語言程序設(shè)計(jì)
- Mobile Application Development:JavaScript Frameworks
- 構(gòu)建移動(dòng)網(wǎng)站與APP:HTML 5移動(dòng)開發(fā)入門與實(shí)戰(zhàn)(跨平臺(tái)移動(dòng)開發(fā)叢書)
- Learning ArcGIS Pro 2
- HTML5游戲開發(fā)案例教程
- Amazon S3 Cookbook
- HTML5 and CSS3 Transition,Transformation,and Animation
- 精通網(wǎng)絡(luò)視頻核心開發(fā)技術(shù)
- Java 11 Cookbook
- 零基礎(chǔ)Java學(xué)習(xí)筆記
- 零基礎(chǔ)學(xué)Java第2版
- PostgreSQL 12 High Availability Cookbook
- 輕松學(xué)Scratch 3.0 少兒編程(全彩)
- HTML5 Game Development by Example:Beginner's Guide(Second Edition)
- HTML5 and CSS3:Building Responsive Websites