我不能生成与puppet-dashboard一起使用的证书。 仪表板与puppet-master在同一台主机上运行,两者都在apache / passenger下运行。 服务器名称是“mon1”,但“puppet”和“dashboard”是该服务器的别名,并且是各个节点使用的别名。
版本:
puppet --version 3.2.0-rc1 puppet-dashboard: 1.2.23 傀儡名字本身是可以解决的:
$ curl -k https://puppet:8140 can't convert nil into String
这是我的configuration,下面是错误:
# config/settings.yml cn_name: 'dashboard' ca_crl_path: 'certs/dashboard.ca_crl.pem' ca_certificate_path: 'certs/dashboard.ca_cert.pem' certificate_path: 'certs/dashboard.cert.pem' private_key_path: 'certs/dashboard.private_key.pem' public_key_path: 'certs/dashboard.public_key.pem' ca_server: 'puppet' ca_port: 8140 # auth.conf path /facts auth any method find, search allow * path /inventory auth any method find, search allow *
而错误:
[root@mon1 puppet-dashboard]# sudo -u puppet-dashboard rake cert:create_key_pair DEPRECATION WARNING: Rake tasks in vendor/plugins/delayed_job/tasks are deprecated. Use lib/tasks instead. (called from /usr/share/puppet-dashboard/vendor/rails/railties/lib/tasks/rails.rb:10) [root@mon1 puppet-dashboard]# sudo -u puppet-dashboard rake cert:request --trace DEPRECATION WARNING: Rake tasks in vendor/plugins/delayed_job/tasks are deprecated. Use lib/tasks instead. (called from /usr/share/puppet-dashboard/vendor/rails/railties/lib/tasks/rails.rb:10) ** Invoke cert:request (first_time) ** Invoke environment (first_time) ** Execute environment ** Execute cert:request rake aborted! 400 "" /usr/lib/ruby/1.8/net/http.rb:2105:in `error!' /usr/share/puppet-dashboard/lib/puppet_https.rb:27:in `put' /usr/share/puppet-dashboard/lib/tasks/install.rake:50 /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:246:in `call' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:246:in `execute' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:241:in `each' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:241:in `execute' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:184:in `invoke_with_call_chain' /usr/lib/ruby/1.8/monitor.rb:242:in `synchronize' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:177:in `invoke_with_call_chain' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:170:in `invoke' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:143:in `invoke_task' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in `top_level' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in `each' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in `top_level' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:110:in `run_with_threads' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:95:in `top_level' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:73:in `run' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:160:in `standard_exception_handling' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:70:in `run' /usr/lib/ruby/gems/1.8/gems/rake-10.0.4/bin/rake:33 /usr/bin/rake:19:in `load' /usr/bin/rake:19 Tasks: TOP => cert:request
编辑:
这似乎是我的apache虚拟主机的错误。 查询库存服务在作为守护进程或本地运行puppet主服务器时工作,但不在由apache托pipe时运行。 下面是我的虚拟主机:
Listen 8140 <VirtualHost *:8140> SSLEngine On # Only allow high security cryptography. Alter if needed for compatibility. SSLProtocol All -SSLv2 SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/mon1.domain.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/mon1.domain.com.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData # These request headers are used to pass the client certificate # authentication information on to the puppet master process RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order Allow,Deny Allow from All </Directory> </VirtualHost>
乘客相关的调整设置是在不同的虚拟主机,但我不相信他们是相关的。 这可能与证书名称是“mon1.domain.com”而不是“puppet.domain.com”有关吗?
这是access_log的一个例子:
# curl -k -H "Accept: yaml" https://puppet:8140/production/facts/my.node.com <LOCALIP> - - [09/May/2013:16:52:40 +1000] "GET /production/facts/my.node.com HTTP/1.1" 400 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2" # some node making a request <REMOTEIP> - - [09/May/2013:16:52:53 +1000] "GET /production/node/some.other.node? HTTP/1.1" 200 3291 "-" "Ruby"
请注意,我试图从本地机器使用curl来查询事实和节点,但是这是行不通的。 与傀儡仪表板正在尝试的内容相同。
非常奇怪,它只是工作..我没有看到任何东西在你的Apacheconfiguration,将导致400乘客下运行时,它不会发生在webrick下,但你永远不知道。
乘客下的傀儡大师是否可以正常工作?
找出错误的下一步是启用你的config.ru的--debug行,如果你想继续研究发生了什么事情,或者你可以住在拿到所需的证书,并用webrick解决方法,并称之为一天。
确保将以下设置添加到puppet.conf文件中:
[master] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY