我很难在主站和从站上使用puppet 3.3.1(puppet opensource)设置一个主/节点场景。 奴隶在Windows和SLES机器上。 师父也在SLES机器上。
问题:我第一次启动代理程序时,会创build一个新的证书并将其发送给主服务器。 在主人,我可以看到证书请求,并接受它。 当我再次启动代理程序时,出现以下消息:
Running Puppet agent on demand ... Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: c ertificate verify failed: [certificate signature failure for /CN=my-master.com] Info: Retrieving plugin Error: /File[C:/Dokumente und Einstellungen/All Users/Anwendungsdaten/PuppetLabs /puppet/var/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certifica te verify failed: [certificate signature failure for /CN=my-master.com] Error: /File[C:/Dokumente und Einstellungen/All Users/Anwendungsdaten/PuppetLabs /puppet/var/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature fa ilure for /CN=my-master.com] Could not retrieve file metadata f or puppet://my-master.com/plugins: SSL_connect returned=1 errno =0 state=SSLv3 read server certificate B: certificate verify failed: [certificat e signature failure for /CN=my-master.com] Error: Could not retrieve catalog from remote server: SSL_connect returned=1 err no=0 state=SSLv3 read server certificate B: certificate verify failed: [certific ate signature failure for /CN=my-master.com] Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read se rver certificate B: certificate verify failed: [certificate signature failure fo r /CN=my-master.com]
有线的事情是,它已经工作,但现在不。 这些步骤我已经试图解决这个问题:
找出每个方面认为是主动CA的东西
puppet master --configprint cacert
puppet agent --configprint cacert
确保代理信任主服务器用于签名的相同CA. 如有疑问,请更换代理商的副本。 然后它应该接受一个新签署的证书。
对于一个干净的石板,你应该只有
$ssldir
删除所有$(facter fqdn).pem
$ssldir
$(facter fqdn).pem
文件 puppet cert clean <fqdn>
然后,代理商应该再发行一个CSR,如果CA的副本确实是同步的,那么最终应该接受该证书。