1.1Puppet Node Registration selection
1.1.1 Manual Registration
[Root@puppetserver ~]# puppet cert--list #搜索请求注册的节点
"Agent1.rsyslog.org" (3a:6c:c6:30:14:6d:dc:4b:0e:70:79:be:46:fa:6c:2b)
[Root@puppetserver ~]# puppet cert--sign agent1.rsyslog.org #注册节点agent1. rsyslog.org
notice:signed Certificate Request for agent1.rsyslog.org
notice:removing file Puppet::ssl::certificaterequest agent1.rsyslog.org at '/var/lib/puppet/ssl/ca/requests/ Agent1.rsyslog.org.pem '
More actions can be viewed by command puppet Cert–help
1.1.2 Automatic Registration
[Root@puppetserver puppet]# vim autosign.conf #创建并编辑autosign. conf file, will need to automatically register the host name write, suffix name consistent through the wildcard * Replace
*.rsyslog.org
Note: In this mode, the connection from the specified domain name range will be automatically signed, there is a certain degree of security, depending on the circumstances to consider whether to use.
1.1.3 Pre-signing certificate
1.1.3.1 Certificate of pre-generated node on puppet server side
[Root@puppetserver ~]# PUPPETCA--generate agent1.rsyslog.org
1.1.3.2 Copy the following certificate to cover the corresponding directory of the node
/var/lib/puppet/ssl/private_keys/agent1.rsyslog.org.pem
/var/lib/puppet/ssl/certs/agent1.rsyslog.org.pem
/var/lib/puppet/ssl/certs/ca.pem
Note: Nodes need to be started before replication can generate/VAR/LIB/PUPPET/SSL directory structure
1.1.4 Re-registration
Sometimes the node replaces the host name, or re-register to obtain a new certificate:
1), on the node to delete the old certificate first
[Root@agent1 ~]# rm-rf/var/lib/puppet/ssl/*
2), at the puppetserver end of the node to delete the certificate
[Root@puppetserver ~]# PUPPETCA--clean agent1.rsyslog.org
Notice:revoked Certificate with serial 3
notice:removing file Puppet::ssl::certificate agent1.rsyslog.org at '/var/lib/puppet/ssl/ca/signed/ Agent1.rsyslog.org.pem '
notice:removing file Puppet::ssl::certificate agent1.rsyslog.org at '/var/lib/puppet/ssl/certs/agent1.rsyslog.org.pem '
3), manually, automatically or by signing the certificate to re-register, please refer to 2.6.1, 2.6.2 and 2.6.3
This article is from the "www.kisspuppet.com" blog, please be sure to keep this source http://kisspuppet.blog.51cto.com/418026/1257717
See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Servers/zs/