Ssl-Certificate

如何為(輔助)編譯 puppetserver 生成證書?

  • September 30, 2021

我正在嘗試使用循環 DNS 來擴展 puppetserver,以獲得冗餘。次要puppetserver(版本7.4.0)配置為使用來自主要的 CA 權限puppetserver

/etc/puppetlabs/puppet/puppet.conf:

[main]
ca_name = Puppet CA: puppet-ca-master.company.com
ca_server = puppet-ca-master.company.com
[agent]
server = puppet-ca-master.company.com
runinterval=1800

在輔助伺服器上,我禁用了 CA 服務,因為在以下位置可能只有一個證書頒發機構/etc/puppetlabs/puppetserver/services.d/ca.cfg

# To enable the CA service, leave the following line uncommented
# puppetlabs.services.ca.certificate-authority-service/certificate-authority-service
# To disable the CA service, comment out the above line and uncomment the line below
puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service

我已經從輔助伺服器中刪除了證書,以便從 CA 主伺服器獲取證書籤名證書:

rm -rf /etc/puppetlabs/puppet/ssl && mkdir -p /etc/puppetlabs/puppet/ssl/certs
chmod 0700 /etc/puppetlabs/puppet/ssl
chown -R puppet /etc/puppetlabs/puppet/ssl

但是,puppetserver由於缺少證書,服務拒絕啟動:

2021-09-30T09:06:18.220+02:00 ERROR [async-dispatch-2] [p.t.internal] Error during service start!!!
java.lang.IllegalArgumentException: Unable to open 'ssl-cert' file: /etc/puppetlabs/puppet/ssl/certs/secondary-puppetserver.company.com.pem

當我嘗試puppet agent -t在輔助 puppetserver 上執行時,它無法簽署證書:

Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (secondary-puppetserver.company.com)

此外,會生成私鑰,但不會生成公鑰:

ll /etc/puppetlabs/puppet/ssl/public_keys/
total 0

使用輪詢 DNS CA 主配置/etc/puppetlabs/puppetserver/conf.d/ca.conf需要包括:

allow-subject-alt-names: true

重新啟動puppetserver並為 CA 主伺服器上的輔助伺服器生成證書:

puppetserver ca generate --certname puppet-secondary.company.com --subject-alt-names=puppet-secondary.company.com,puppet.company.com

轉讓證書:

rsync -a /etc/puppetlabs/puppet/ssl/private_keys/puppet-secondary.company.com.pem secondary-puppet:/etc/puppetlabs/puppet/ssl/private_keys/
rsync -a /etc/puppetlabs/puppet/ssl/certs/puppet-secondary.company.com.pem secondary-puppet:/etc/puppetlabs/puppet/ssl/certs/
rsync -a /etc/puppetlabs/puppet/ssl/public_keys/puppet-secondary.company.com.pem secondary-puppet:/etc/puppetlabs/puppet/ssl/public_keys/

和 CA

rsync -ra /etc/puppetlabs/puppetserver/ca/{ca_crl.pem,ca_crt.pem} secondary-puppet:/etc/puppetlabs/puppetserver/ca/

在輔助確保 CA 服務在/etc/puppetlabs/puppetserver/services.d/ca.cfg.

並確保將網路伺服器配置為使用正確的證書/etc/puppetlabspuppetserver/conf.d/webserver.conf

webserver: {
   access-log-config: /etc/puppetlabs/puppetserver/request-logging.xml
   client-auth: want
   ssl-host: 0.0.0.0
   ssl-port: 8140
   ssl-cert: /etc/puppetlabs/puppet/ssl/certs/puppet-secondary.company.com.pem
   ssl-key: /etc/puppetlabs/puppet/ssl/private_keys/puppet-secondary.company.com.pem
   ssl-ca-cert: /etc/puppetlabs/puppetserver/ca/ca_crt.pem
   ssl-crl-path: /etc/puppetlabs/puppetserver/ca/ca_crl.pem
}

在 CA 主 DNS 上,可以驗證替代名稱。所有 puppet 伺服器都需要包含相同的域名和其他唯一名稱。

puppetserver ca list --all

尋找alt names: ["DNS: ... 。使用 生成證書時puppet agent,不包括替代名稱。

引用自:https://serverfault.com/questions/1079127