如何拒絕 Puppet Master 上的憑證請求?

tag-icon tag-icon puppet
如何拒絕 Puppet Master 上的憑證請求?

我收到一些來自主機名稱錯誤的代理程式的請求。我已更正此問題,但仍然存在主機名稱錯誤的未完成請求。

我試過:

$puppet cert list
  "wrong.host.name" (SHA256) 8E:...:51

$ puppet cert revoke wrong.host.name
Error: Could not find a serial number for wrong.host.name

$ puppet cert clean wrong.host.name
Error: Could not find a serial number for wrong.host.name

擺脫它們的正確方法是什麼?

答案1

使用ca效果更好,並且可以與cert.重要的是,它不會讓您暫時簽署無效的憑證。

$ puppet ca destroy wrong.host.name
Notice: Removing file Puppet::SSL::CertificateRequest wrong.host.name at '/var/lib/puppet/ssl/ca/requests/wrong.host.name.pem'
Deleted for wrong.host.name: Puppet::SSL::CertificateRequest

puppet ca命令最近已被棄用所以在某些時候它可能會消失,但沒有等效的命令。有一個漏洞如果您認為刪除此命令而不進行替換有點愚蠢,您可以投票支持。

答案2

可能的解決方案1:

對傀儡師使用puppet cert clean才是正確的方法。但是,由於您收到錯誤,您的證書庫存可能很差。

嘗試重新清點然後清理:

$ puppet cert reinventory
$ puppet cert clean --all

注意:我的範例使用該--all標誌,這將清除所有憑證(已簽署和未簽署)。另外,請注意,在運行 .puppet master 之前應停止 Puppet master reinventory

來源:http://docs.puppetlabs.com/references/3.6.2/man/cert.html

可能的解決方案2:

$ puppet cert sign wrong.host.name
Notice: Signed certificate request for wrong.host.name
Notice: Removing file Puppet::SSL::CertificateRequest wrong.host.name at '/var/lib/puppet/ssl/ca/requests/wrong.host.name.pem'

$ puppet cert clean wrong.host.name
Notice: Revoked certificate with serial 87
Notice: Removing file Puppet::SSL::Certificate wrong.host.name at '/var/lib/puppet/ssl/ca/signed/wrong.host.name.pem'
Notice: Removing file Puppet::SSL::Certificate wrong.host.name at '/var/lib/puppet/ssl/certs/wrong.host.name.pem'

可能的解決方案3:

第一:在伺服器上

$ puppet cert --revoke wrong.host.name
$ puppet cert --clean wrong.host.name

第二:在客戶端

$ rm -rf /usr/lib/puppet/ssl
$ puppet agent --server [puppetmaster domain name] --waitforcert 60

第三:在伺服器上(根據需要進行調整)

$ puppet cert --list (you should see your host)
$ puppet cert --sign wrong.host.name

另外,請仔細檢查您的客戶是否可以存取您的 [puppetmaster 網域]。

來源:https://serverfault.com/questions/574976/puppet-trying-to-configure-puppet-client-for-first-use-but-got-some-problems-wi

答案3

這是我的做法

[root@puppetmc ca]# puppet cert clean sparrow.home
Error: Could not find a serial number for sparrow.home
[root@puppetmc ca]# cat inventory.txt 
0x0002 2015-05-17T06:33:29GMT 2020-05-16T06:33:29GMT /CN=puppetmc.home
0x0003 2015-05-17T23:25:33GMT 2020-05-16T23:25:33GMT /CN=sparrow.rospop.com
0x0004 2015-05-18T00:53:18GMT 2020-05-17T00:53:18GMT /CN=puppetmc.home
0x0005 2015-05-18T02:18:12GMT 2020-05-17T02:18:12GMT /CN=sparrow.rospop.com
[root@puppetmc ca]# vi  inventory.txt

將以下行加入 inventory.txt:

0x0001 2015-05-17T06:33:29GMT 2020-05-16T06:33:29GMT /CN=sparrow.home

然後運行

[root@puppetmc ca]# puppet cert clean sparrow.home
Notice: Revoked certificate with serial 1
Notice: Removing file Puppet::SSL::CertificateRequest sparrow.home at '/var/lib/puppet/ssl/ca/requests/sparrow.home.pem'
Vince Bhebhe

相關內容