Puppet主从之间建立安全连接的过程如下:
- Puppet从机请求Puppet主机提供证书。
- 一旦Puppet主机发送了它的证书,Puppet从机就会生成自己的证书。
- 然后,Puppet从机请求Puppet主机签署从机证书。
- 一旦Puppet主机签署了此证书,就在Puppet主机和Puppet从机之间建立了安全连接。
3.1 生成Puppet主机证书
生成证书
为了生成CA证书,Puppet主机中执行以下命令:
执行以下命令(主机):
sudo -u puppet puppet master --no-daemonize --verbose
该命令将创建Puppet主机证书。该命令不会主动退出,一旦显示了Puppet的版本,使用ctrl+c退出命令,因为现在无法启动Puppet主机。
命令执行详情:
[root@qikegu ~]# sudo -u puppet puppet master --no-daemonize --verbose
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 87:B4:AB:B9:ED:ED:DD:05:38:AE:F9:93:48:AC:38:37:C7:6B:CF:28:21:A2:31:09:3E:AD:69:BE:21:C9:2D:DE
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for qikegu
Info: csr_attributes file loading from /var/lib/puppet/.puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for qikegu
Info: Certificate Request fingerprint (SHA256): BE:26:4D:3B:02:B3:9F:37:CC:CB:65:46:89:2F:C6:54:2E:B8:87:4B:8E:C5:5C:75:CB:A0:93:60:8E:D5:F3:FD
Notice: qikegu has a waiting certificate request
Notice: Signed certificate request for qikegu
Notice: Removing file Puppet::SSL::CertificateRequest qikegu at '/var/lib/puppet/.puppet/ssl/ca/requests/qikegu.pem'
Notice: Removing file Puppet::SSL::CertificateRequest qikegu at '/var/lib/puppet/.puppet/ssl/certificate_requests/qikegu.pem'
Notice: Starting Puppet master version 3.8.7
启动Puppet主机
现在启动Puppet主机。
执行以下命令(主机):
puppet resource service puppetmaster ensure=running
命令执行详情:
[root@qikegu ~]# puppet resource service puppetmaster ensure=running
Notice: /Service[puppetmaster]/ensure: ensure changed 'stopped' to 'running'
service { 'puppetmaster':
ensure => 'running',
}
3.2 从机请求Puppet主机签署从机证书
执行以下命令(从机):
puppet agent -t
命令执行详情:
[root@qikegu2 ~]# puppet agent -t
Exiting; no certificate found and waitforcert is disabled
3.3 Puppet主机签署从机证书
Puppet主机响应从机请求,签署从机证书。
首先需要获得证书列表,执行以下命令(主机):
puppet cert list
命令执行详情:
[root@qikegu ~]# puppet cert list
"qikegu2" (SHA256) 74:19:B9:F9:CB:9F:ED:24:BD:62:B0:67:63:D7:DF:AD:32:64:F2:35:D1:16:84:CF:ED:5F:24:AD:99:E6:86:2F
可以看到,有一个名为qikegu2(从机所在的虚拟机名称)的证书签名请求挂起。
为了签署证书,执行以下命令(主机):
puppet cert sign qikegu2
命令执行详情:
[root@qikegu ~]# puppet cert sign qikegu2
Notice: Signed certificate request for qikegu2
Notice: Removing file Puppet::SSL::CertificateRequest qikegu2 at '/var/lib/puppet/ssl/ca/requests/qikegu2.pem'
这里的证书签名请求是由Puppet从机(3.2章节)发送的,我们已经签署了那个特定的证书。
3.4 更新Puppet从机
首先启动Puppet从机。
执行以下命令(从机):
puppet resource service puppet ensure=running
命令执行详情:
[root@qikegu2 ~]# puppet resource service puppet ensure=running
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
ensure => 'running',
}
更新Puppet从机。因为Puppet主机最近已经签署了证书,所以它将更新证书。
执行以下命令(从机):
puppet agent -t
命令执行详情:
[root@qikegu2 ~]# puppet agent -t
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for qikegu2
Info: Applying configuration version '1567426258'
现在,我们在Puppet主机与Puppet从机之间建立了一个安全的连接。