During work, the puppet server/client certificate authentication exception is often encountered, and the certificate needs to be regenerated. Common operations are to delete the old certificates related to the server/client certificate, and then generate a new certificate. In this case, a shell script is compiled, which only needs to be periodically run on the Client side. Since the script involves a plaintext password, you can consider encrypting this script to improve security (refer to: http://lxsym.blog.51cto.com/1364623/768286)
#! /Bin/bash
# Re-issuing the puppet certificate for client exceptions
#2012/05/30 Richard Shen
SIP = "192.168.11.6" # server ip Address
SPASSWD = "hello" # server root password,
Host = 'hostname'
S_dns = ".dns.abc.com. pem" # The Host-IP address corresponding to the internal DNS resolution depends on the actual situation.
S_ca_name = "$ host $ s_dns" # $ host Certificate file on the server
R_NUM = '/usr/sbin/puppetd -- test -- server pup-ser-01.dns.abc.com | grep "notice: Finished" | wc-l'
[! -F/usr/bin/nc] & yum-y install nc
[! -F/usr/bin/keep CT] & yum-y install keep CT
# LOGIN PUPPET SERVER
Auto_smart_ssh (){
CT-c "set timeout-1;
Spawn ssh-o StrictHostKeyChecking = no $2 $ {@: 3 };
CT {
* Assword: * {send -- $1 \ r;
CT {
* Denied * {exit 2 ;}
Eof
}
}
Eof {exit 1 ;}
}
"
# Return $?
}
# Perform the following two operations to determine whether the operation is normal or not
I = 0
While [[$ I-lt 2]
Do
If [$ R_NUM-ne 1]; then
Rm-rf/var/lib/puppet/ssl /*
Auto_smart_ssh $ SPASSWDroot @ $ SIPrm-rf/var/lib/puppet/ssl/ca/signed/$ s_ca_name
/Usr/sbin/puppetd -- test -- server pup-ser-01.dns.abc.com
Else
Echo "$ host puppet client is OK"
Fi
Let I = I + 1
Done