官术网_书友最值得收藏!

Renewing an agent's certificate

Sometimes, it is necessary during an agent machine's life cycle to regenerate its certificate and related data. The reasons for this can include data loss, human error, or certificate expiration, among others. The regeneration is achieved through the following steps:

  1. Performing the regeneration is quite simple: all relevant files are kept at /etc/puppetlabs/puppet/ssl (for Puppet 3.x, this is /var/lib/puppet/ssl) on the agent machine.
  2. Once these files are removed (or rather, the whole ssl/ directory tree), Puppet will renew everything on the next agent run. Of course, a new certificate must be signed. This requires some preparation; just initiating the request from the agent will fail:
root@agent# puppet agent –test
Info: Creating a new SSL key for agent
Info: Caching certificate for ca
Info: Caching certificate for agent.example.net
Error: Could not request certificate: The certificate retrievedfrom the master does not match the agent's private key.
Certificate fingerprint: 6A:9F:12:C8:75:C0:B6:10:45:ED:C3:97:24:CC:98:F2:B6:1A:B5: 4C:E3:98:96:4F:DA:CD:5B:59:E0:7F:F5:E6

The master still has the old certificate cached. This is a simple protection against the impersonation of your agents by unauthorized entities.

  1. To fix this, remove the certificate from both the master and the agent and then start a Puppet run, which will automatically regenerate a certificate:
    • On the master, use the following:
         puppet cert clean agent.example.net
    • On the agent, use the following:
    • On most platforms, use the following:
find /etc/puppetlabs/puppet/ssl -name agent.example.net.pem –delete
    • On Windows, use the following:
del "/etc/puppetlabs/puppet/ssl/agent.example.net.pem" /f
puppet agent –t
Exiting; failed to retrieve certificate and waitforcert is disabled
  1. Once you perform the cleanup operation on the master, as advised in the preceding output, and remove the indicated file from the agent machine, the agent will be able to successfully place its new CSR:
root@puppetmaster# puppet cert clean agent
Notice: Revoked certificate with serial 18
Notice: Removing file Puppet::SSL::Certificate agent at '/etc/puppetlabs/ puppet/ssl/ca/signed/agent.pem'
Notice: Removing file Puppet::SSL::Certificate agent at '/etc/puppetlabs/ puppet/ssl/certs/agent.pem'

The rest of the process is identical to the original certificate creation. The agent uploads its CSR to the master, where the certificate is created through the puppet cert sign command.

主站蜘蛛池模板: 葫芦岛市| 广西| 武平县| 云和县| 察雅县| 长沙市| 固镇县| 尉犁县| 高唐县| 武强县| 礼泉县| 信阳市| 阿图什市| 广安市| 呼玛县| 桦甸市| 黎平县| 固始县| 香河县| 老河口市| 福泉市| 林口县| 嫩江县| 盘锦市| 洪湖市| 铜山县| 子长县| 句容市| 临邑县| 商丘市| 永新县| 宜兴市| 佛教| 凤山市| 中牟县| 巩义市| 通化县| 丹凤县| 东兰县| 安远县| 呼和浩特市|