我想build立一个额外的木偶大师作为非CA服务器。
我已经安装并成功使用Passenger。 有问题的服务器都运行CentOS 6.6,并且都在同一个networking上。 Selinux已经放任了。 testing环境由三个服务器组成,如下所示:
1. HOSTNAME=basxtststinfl01, DNS=puppet.xchanginghosting.com,basxtststinfl01.xchanginghosting.com (CA Master) 2. HOSTNAME=basxtststinfl02, DNS=basxtststinfl02.xchanginghosting.com (non-CA Master) 3. HOSTANME=basxtststinfl03, DNS=basxtststinfl03.xchanginghosting.com (Agent) 我已经configuration了我的第二个木偶大师(非CA),如下所示:
[main] dns_alt_names = basxtststinfl02.xchanginghosting.com,basxtststinfl02 ca_server = basxtststinfl01.xchanginghosting.com [master] ca = false
我删除了非CA puppet master上的原始证书,并在添加了dns_alt_names之后但在ca和ca_servers之前重新生成了另一个证书。
+ "basxtststinfl01.xchanginghosting.com" (SHA256) E6:5D:56:39:16:22:A0:FD:8A:C1:AF:83:EB:80:94:2D:74:CE:1F:75:D5:3A:F7:92:EF:36:1A:85:4C:EA:58:F2 (alt names: "DNS:basxtststinfl01", "DNS:basxtststinfl01.xchanginghosting.com", "DNS:puppet", "DNS:puppet.xchanginghosting.com")
这是迄今为止的正确方法吗?
我的虚拟主机文件如下所示:
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.59/buildout/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.59 PassengerDefaultRuby /usr/bin/ruby PassengerMaxRequests 1000 PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 PassengerStatThrottleRate 120 Listen 8140 <VirtualHost *:8140> SSLProxyEngine On ProxyPassMatch ^/([^/]+/certificate.*)$ https://basxtststinfl01.xchanginghosting.com:8140/$1 SSLEngine on SSLProtocol ALL -SSLv2 -SSLv3 SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA SSLHonorCipherOrder on SSLCertificateFile /var/lib/puppet/ssl/certs/basxtststinfl02.xchanginghosting.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/basxtststinfl02.xchanginghosting.com.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData RequestHeader unset X-Forwarded-For RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ RackBaseURI / <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order allow,deny allow from all </Directory>
注:我删除了SSLCertificateChainFile , SSLCACertificateFile和SSLCARevocationFile假设我不是非CA的目的。
该代理已被多次用于其他testing环境,因此我在尝试初始代理运行之前已经删除了任何现有的证书。 然后我尝试通过非CA主控(basxtststinfl02)请求证书。
# puppet agent --verbose --onetime --no-daemonize --server basxtststinfl02 Info: Creating a new SSL key for basxtststinfl03.xchanginghosting.com Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for basxtststinfl03.xchanginghosting.com Info: Certificate Request fingerprint (SHA256): 85:13:E4:3E:DE:54:24:44:22:07:7E:E9:51:96:CE:88:89:96:82:35:51:97:91:8C:C0:B9:24:42:50:FD:FE:F3 Info: Caching certificate for ca
看起来不错!
然后,我可以在CA主服务器上成功签署证书(basxtststinfl01)。 但是,在签署证书并重复代理上的puppet agent命令后,我看到以下错误:
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=basxtststinfl02.xchanginghosting.com] Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://basxtststinfl02/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=basxtststinfl02.xchanginghosting.com]
我完全不知道这个错误告诉我什么。 有没有其他人configuration第二个主作为一个非CA成功? 或者,上述错误对任何人都有意义。
我认为你提交了错误的CA证书。 它应该被设置为CA木偶大师的ca.pem。
运行第二个主要的代理对主要的代理之后,添加到您的木偶大师虚拟主机configuration:
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem SSLCARevocationFile /var/lib/puppet/ssl/crl.pem SSLCARevocationCheck chain
如果我错了,我已经检查了我的工作辅助大师的configuration,这是什么不同于你的:
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem SSLCARevocationFile /var/lib/puppet/ssl/crl.pem SSLCARevocationCheck chain RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e ProxyPassMatch ^/([^/]+/certificate.*)$ https://ca.puppet.master:8140/$1 <Location ~ "/[^/]+/certificate"> PassengerHighPerformance Off </Location>
至less给你一些其他的东西。