Ssl-Certificate
如何為(輔助)編譯 puppetserver 生成證書?
我正在嘗試使用循環 DNS 來擴展 puppetserver,以獲得冗餘。次要
puppetserver
(版本7.4.0
)配置為使用來自主要的 CA 權限puppetserver
:
/etc/puppetlabs/puppet/puppet.conf
:[main] ca_name = Puppet CA: puppet-ca-master.company.com ca_server = puppet-ca-master.company.com [agent] server = puppet-ca-master.company.com runinterval=1800
在輔助伺服器上,我禁用了 CA 服務,因為在以下位置可能只有一個證書頒發機構
/etc/puppetlabs/puppetserver/services.d/ca.cfg
:# To enable the CA service, leave the following line uncommented # puppetlabs.services.ca.certificate-authority-service/certificate-authority-service # To disable the CA service, comment out the above line and uncomment the line below puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service
我已經從輔助伺服器中刪除了證書,以便從 CA 主伺服器獲取證書籤名證書:
rm -rf /etc/puppetlabs/puppet/ssl && mkdir -p /etc/puppetlabs/puppet/ssl/certs chmod 0700 /etc/puppetlabs/puppet/ssl chown -R puppet /etc/puppetlabs/puppet/ssl
但是,
puppetserver
由於缺少證書,服務拒絕啟動:2021-09-30T09:06:18.220+02:00 ERROR [async-dispatch-2] [p.t.internal] Error during service start!!! java.lang.IllegalArgumentException: Unable to open 'ssl-cert' file: /etc/puppetlabs/puppet/ssl/certs/secondary-puppetserver.company.com.pem
當我嘗試
puppet agent -t
在輔助 puppetserver 上執行時,它無法簽署證書:Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (secondary-puppetserver.company.com)
此外,會生成私鑰,但不會生成公鑰:
ll /etc/puppetlabs/puppet/ssl/public_keys/ total 0
使用輪詢 DNS CA 主配置
/etc/puppetlabs/puppetserver/conf.d/ca.conf
需要包括:allow-subject-alt-names: true
重新啟動
puppetserver
並為 CA 主伺服器上的輔助伺服器生成證書:puppetserver ca generate --certname puppet-secondary.company.com --subject-alt-names=puppet-secondary.company.com,puppet.company.com
轉讓證書:
rsync -a /etc/puppetlabs/puppet/ssl/private_keys/puppet-secondary.company.com.pem secondary-puppet:/etc/puppetlabs/puppet/ssl/private_keys/ rsync -a /etc/puppetlabs/puppet/ssl/certs/puppet-secondary.company.com.pem secondary-puppet:/etc/puppetlabs/puppet/ssl/certs/ rsync -a /etc/puppetlabs/puppet/ssl/public_keys/puppet-secondary.company.com.pem secondary-puppet:/etc/puppetlabs/puppet/ssl/public_keys/
和 CA
rsync -ra /etc/puppetlabs/puppetserver/ca/{ca_crl.pem,ca_crt.pem} secondary-puppet:/etc/puppetlabs/puppetserver/ca/
在輔助確保 CA 服務在
/etc/puppetlabs/puppetserver/services.d/ca.cfg
.並確保將網路伺服器配置為使用正確的證書
/etc/puppetlabspuppetserver/conf.d/webserver.conf
:webserver: { access-log-config: /etc/puppetlabs/puppetserver/request-logging.xml client-auth: want ssl-host: 0.0.0.0 ssl-port: 8140 ssl-cert: /etc/puppetlabs/puppet/ssl/certs/puppet-secondary.company.com.pem ssl-key: /etc/puppetlabs/puppet/ssl/private_keys/puppet-secondary.company.com.pem ssl-ca-cert: /etc/puppetlabs/puppetserver/ca/ca_crt.pem ssl-crl-path: /etc/puppetlabs/puppetserver/ca/ca_crl.pem }
在 CA 主 DNS 上,可以驗證替代名稱。所有 puppet 伺服器都需要包含相同的域名和其他唯一名稱。
puppetserver ca list --all
尋找
alt names: ["DNS: ...
。使用 生成證書時puppet agent
,不包括替代名稱。