在puppet服务器版本4中集中证书颁发机构
我正在尝试使用以下链接创建具有中央证书颁发机构的多个puppet主服务器:在puppet服务器版本4中集中证书颁发机构,puppet,Puppet,我正在尝试使用以下链接创建具有中央证书颁发机构的多个puppet主服务器: 但是这个文档是根据puppet版本3编写的,在puppet版本4中有一个puppet服务器,它运行在JVM和jetty上,为请求提供服务。在上面的文档中,apache将所有证书URI转发给中央服务器,我如何使用puppet 4创建相同的体系结构 似乎只有企业傀儡才有可能。 我认为,与开源相比,您可以继续使用Apache/Nginx和代理请求来CA,或者在所有代理puppet.conf上配置webserver.conf和
但是这个文档是根据puppet版本3编写的,在puppet版本4中有一个puppet服务器,它运行在JVM和jetty上,为请求提供服务。在上面的文档中,apache将所有证书URI转发给中央服务器,我如何使用puppet 4创建相同的体系结构 似乎只有企业傀儡才有可能。 我认为,与开源相比,您可以继续使用Apache/Nginx和代理请求来CA,或者在所有代理puppet.conf上配置webserver.conf和用户CA_服务器。我不确定CRL撤销可以做什么。 对于Puppet 3.8,我们使用以下方案,我认为它应该与新的puppetserver配合使用(虽然有点疯狂):
pwgen -1 > /tmp/crl
curl --data-binary '@/tmp/crl' http://puppetmaster:8887/crl
server {
listen 8887;
server_name puppetmaster.net;
root /var/www;
location /crl {
limit_except POST { deny all; }
client_body_temp_path /srv/puppet/crl/;
client_body_in_file_only on;
client_body_buffer_size 128K;
client_max_body_size 128K;
proxy_pass_request_headers on;
proxy_set_header X-FILE $request_body_file;
proxy_set_body off;
proxy_redirect off;
proxy_pass http://localhost:8888;
}
}
server {
listen localhost:8888;
server_name localhost;
root /var/www;
}
#!/bin/bash
PID='/tmp/crlpid'
if [[ -f $PID ]]; then
exit
else
touch $PID
fi
function check {
rm -f /srv/puppet/crl/*
sleep 10
COUNT=$(ls -1 /srv/puppet/crl | wc -l)
if [[ $COUNT > 0 ]]; then
check
else
return 0
fi
}
if check; then
STATUS='NOTSET'
SSLDIR=`puppet config print ssldir`
CERTNAME=`hostname -f`
ENV=`puppet config print environment`
URL="https://puppetca:8140/${ENV}/certificate_revocation_list/ca"
CRT=`puppet config print cacert`
CRL=`puppet config print cacrl`
TMPCRL="/tmp/puppet_ca_crlpem.tmp"
curl --output "${TMPCRL}" \
--cacert "${SSLDIR}/certs/ca.pem" \
--cert "${SSLDIR}/certs/${CERTNAME}.pem" \
--key "${SSLDIR}/private_keys/${CERTNAME}.pem" \
-H "Accept: s" "${URL}"
openssl crl -text -in "${TMPCRL}" -CAfile "${CRT}" -noout > /dev/null 2>&1 && STATUS='VALID'
if [[ "${STATUS}" == "VALID" ]]; then
mv -f "${TMPCRL}" "${CRL}"
chown puppet:puppet "${CRL}"
systemctl reload httpd.service
fi
rm -f $PID
fi
server {
listen 8887;
server_name puppetmaster.net;
root /var/www;
location /crl {
limit_except POST { deny all; }
client_body_temp_path /srv/puppet/crl/;
client_body_in_file_only on;
client_body_buffer_size 128K;
client_max_body_size 128K;
proxy_pass_request_headers on;
proxy_set_header X-FILE $request_body_file;
proxy_set_body off;
proxy_redirect off;
proxy_pass http://localhost:8888;
}
}
server {
listen localhost:8888;
server_name localhost;
root /var/www;
}
#!/bin/bash
PID='/tmp/crlpid'
if [[ -f $PID ]]; then
exit
else
touch $PID
fi
function check {
rm -f /srv/puppet/crl/*
sleep 10
COUNT=$(ls -1 /srv/puppet/crl | wc -l)
if [[ $COUNT > 0 ]]; then
check
else
return 0
fi
}
if check; then
STATUS='NOTSET'
SSLDIR=`puppet config print ssldir`
CERTNAME=`hostname -f`
ENV=`puppet config print environment`
URL="https://puppetca:8140/${ENV}/certificate_revocation_list/ca"
CRT=`puppet config print cacert`
CRL=`puppet config print cacrl`
TMPCRL="/tmp/puppet_ca_crlpem.tmp"
curl --output "${TMPCRL}" \
--cacert "${SSLDIR}/certs/ca.pem" \
--cert "${SSLDIR}/certs/${CERTNAME}.pem" \
--key "${SSLDIR}/private_keys/${CERTNAME}.pem" \
-H "Accept: s" "${URL}"
openssl crl -text -in "${TMPCRL}" -CAfile "${CRT}" -noout > /dev/null 2>&1 && STATUS='VALID'
if [[ "${STATUS}" == "VALID" ]]; then
mv -f "${TMPCRL}" "${CRL}"
chown puppet:puppet "${CRL}"
systemctl reload httpd.service
fi
rm -f $PID
fi