我已经在我的傀儡大师之一上安装了一个puppetdb,它工作。 但我无法将第二个连接到木偶大师。
指挥“傀儡代理-t”在我的第二个主人工作。
每个主人处理自己的节点(他们不是LB)。
这里是我运行puppet agent命令时的puppetserver.log:
2017-06-22 15:48:21,255 ERROR [qtp1178717687-64] [cphciPersistentSyncHttpClient] Error executing http request javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1431) ~[na:1.8.0_65] at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535) ~[na:1.8.0_65] at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214) ~[na:1.8.0_65] at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186) ~[na:1.8.0_65] at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[na:1.8.0_65] at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:263) ~[puppet-server-release.jar:na] at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:303) ~[puppet-server-release.jar:na] at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:507) ~[puppet-server-release.jar:na] at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:122) ~[puppet-server-release.jar:na] at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:164) ~[puppet-server-release.jar:na] at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:339) ~[puppet-server-release.jar:na] at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:317) ~[puppet-server-release.jar:na] at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:278) ~[puppet-server-release.jar:na] at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:106) ~[puppet-server-release.jar:na] at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:590) ~[puppet-server-release.jar:na] at java.lang.Thread.run(Thread.java:745) ~[na:1.8.0_65] Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_65] at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728) ~[na:1.8.0_65] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304) ~[na:1.8.0_65] at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[na:1.8.0_65] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) ~[na:1.8.0_65] at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[na:1.8.0_65] at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[na:1.8.0_65] at sun.security.ssl.Handshaker$1.run(Handshaker.java:919) ~[na:1.8.0_65] at sun.security.ssl.Handshaker$1.run(Handshaker.java:916) ~[na:1.8.0_65] at java.security.AccessController.doPrivileged(Native Method) ~[na:1.8.0_65] at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1369) ~[na:1.8.0_65] at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:281) ~[puppet-server-release.jar:na] at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:351) ~[puppet-server-release.jar:na] ... 9 common frames omitted Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[na:1.8.0_65] at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.8.0_65] at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.8.0_65] at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_65] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281) ~[na:1.8.0_65] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[na:1.8.0_65] at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ~[na:1.8.0_65] ... 17 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) ~[na:1.8.0_65] at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[na:1.8.0_65] at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_65] at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[na:1.8.0_65] ... 23 common frames omitted 我有jetty.ini中的默认configuration:
[jetty] # IP address or hostname to listen for clear-text HTTP. To avoid resolution # issues, IP addresses are recommended over hostnames. # Default is `localhost`. # host = <host> # Port to listen on for clear-text HTTP. port = 8080 # The following are SSL specific settings. They can be configured # automatically with the tool `puppetdb ssl-setup`, which is normally # ran during package installation. # IP address to listen on for HTTPS connections. Hostnames can also be used # but are not recommended to avoid DNS resolution issues. To listen on all # interfaces, use `0.0.0.0`. ssl-host = 0.0.0.0 # The port to listen on for HTTPS connections ssl-port = 8081 # Private key path ssl-key = /etc/puppetdb/ssl/private.pem # Public certificate path ssl-cert = /etc/puppetdb/ssl/public.pem # Certificate authority path ssl-ca-cert = /etc/puppetdb/ssl/ca.pem
这是我的第二个master上的puppetdb.conf:
[main] server_urls = https://puppetmaster01.domain.com:8081
当我第一次启动puppetdb ssl-setup时,它说它从/ etc / puppetlabs / puppet / ssl复制puppetmaster ssl(ca,private和public)。 所以我试图复制这些从我的master02,并将其添加到docker指定的3个文件,但它没有工作。
谢谢你的帮助!
编辑:我发现一个文件告诉我必须使用CA证书。 所以我用这个命令生成了一个CA证书:
puppet cert generate puppetmaster01.domain.com --allow-dns-alt-names --dns_alt_names=puppetmaster.domain.com,puppetmaster01.domain.com,puppetmaster02.domain.com
在我用这个为puppetdb设置ssl之后:
puppetdb ssl-setup -f
第一个问题:我的主人工作,我复制ssl / certs / ca.pem在我的节点SSL /证书,他们能够生成一个新的SSL,但我的主人从来没有收到它。
第二个问题:我把第一个主人的所有SSL目录复制到第二个人,我把名字改名为SSL文件,但是当我启动我的木偶代理时,我得到了:
Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: puppetmaster01.domain.com(IP_MASTER_02) access to /puppet/v3/catalog/puppetmaster02.domain.com [find] authenticated at :68 Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: Error 403 on SERVER: Forbidden request: puppetmaster01.domain.com(172.27.15.24) access to /puppet/v3/report/puppetmaster02.domain.com [save] authenticated at :78
这就像它试图获取master01而不是02的信息…
我发现如何使用CA,你只需要把repo puppet / ssl / ca放在你的其他服务器上并重新生成SSL。
所以在你使用的第一个主人:puppet cert generate puppetmaster01.domain.com –allow-dns-alt-names –dns_alt_names = puppetmaster.domain.com,puppetmaster01.domain.com,puppetmaster02.domain.com
复制你的第二个master上的所有puppet / ssl / ca并重新生成这个ssl:puppet cert generate puppetmaster02.domain.com