如何为(二次)编译 puppetserver 生成证书?

如何为(二次)编译 puppetserver 生成证书?

我试图扩展 Puppetserver,以便实现冗余,使用循环 DNS。辅助puppetserver(版本7.4.0) 配置为使用主 的 CA 授权puppetserver

/etc/puppetlabs/puppet/puppet.conf

[main]
ca_name = Puppet CA: puppet-ca-master.company.com
ca_server = puppet-ca-master.company.com
[agent]
server = puppet-ca-master.company.com
runinterval=1800

在辅助服务器上,我禁用了 CA 服务,因为只能有一个证书颁发机构/etc/puppetlabs/puppetserver/services.d/ca.cfg

# To enable the CA service, leave the following line uncommented
# puppetlabs.services.ca.certificate-authority-service/certificate-authority-service
# To disable the CA service, comment out the above line and uncomment the line below
puppetlabs.services.ca.certificate-authority-disabled-service/certificate-authority-disabled-service
puppetlabs.trapperkeeper.services.watcher.filesystem-watch-service/filesystem-watch-service

我已经从辅助证书中删除了证书,以便从 CA 主证书获取证书签名的证书:

rm -rf /etc/puppetlabs/puppet/ssl && mkdir -p /etc/puppetlabs/puppet/ssl/certs
chmod 0700 /etc/puppetlabs/puppet/ssl
chown -R puppet /etc/puppetlabs/puppet/ssl

但是puppetserver由于缺少证书,该服务拒绝启动:

2021-09-30T09:06:18.220+02:00 ERROR [async-dispatch-2] [p.t.internal] Error during service start!!!
java.lang.IllegalArgumentException: Unable to open 'ssl-cert' file: /etc/puppetlabs/puppet/ssl/certs/secondary-puppetserver.company.com.pem

当我尝试puppet agent -t在辅助 puppetserver 上运行时,它无法签署证书:

Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (secondary-puppetserver.company.com)

此外,私钥已生成,但公钥尚未生成:

ll /etc/puppetlabs/puppet/ssl/public_keys/
total 0

答案1

使用循环 DNS CA 主配置/etc/puppetlabs/puppetserver/conf.d/ca.conf需要包括:

allow-subject-alt-names: true

重新启动puppetserverCA 主服务器上的辅助服务器并生成证书:

puppetserver ca generate --certname puppet-secondary.company.com --subject-alt-names=puppet-secondary.company.com,puppet.company.com

转让证书:

rsync -a /etc/puppetlabs/puppet/ssl/private_keys/puppet-secondary.company.com.pem secondary-puppet:/etc/puppetlabs/puppet/ssl/private_keys/
rsync -a /etc/puppetlabs/puppet/ssl/certs/puppet-secondary.company.com.pem secondary-puppet:/etc/puppetlabs/puppet/ssl/certs/
rsync -a /etc/puppetlabs/puppet/ssl/public_keys/puppet-secondary.company.com.pem secondary-puppet:/etc/puppetlabs/puppet/ssl/public_keys/

和 CA

rsync -ra /etc/puppetlabs/puppetserver/ca/{ca_crl.pem,ca_crt.pem} secondary-puppet:/etc/puppetlabs/puppetserver/ca/

在辅助服务器上,确保 CA 服务已被禁用/etc/puppetlabs/puppetserver/services.d/ca.cfg

并确保网络服务器配置为使用正确的证书/etc/puppetlabspuppetserver/conf.d/webserver.conf

webserver: {
    access-log-config: /etc/puppetlabs/puppetserver/request-logging.xml
    client-auth: want
    ssl-host: 0.0.0.0
    ssl-port: 8140
    ssl-cert: /etc/puppetlabs/puppet/ssl/certs/puppet-secondary.company.com.pem
    ssl-key: /etc/puppetlabs/puppet/ssl/private_keys/puppet-secondary.company.com.pem
    ssl-ca-cert: /etc/puppetlabs/puppetserver/ca/ca_crt.pem
    ssl-crl-path: /etc/puppetlabs/puppetserver/ca/ca_crl.pem
}

在 CA 主 DNS 上可以验证备用名称。所有 puppet 服务器都需要包含相同的域名和其他唯一名称。

puppetserver ca list --all

查找alt names: ["DNS: ...。使用 生成证书时puppet agent,不包括备用名称。

相关内容