我为我的傀儡大师创造了一个Alogging。 万一这个ip地址的puppet出现故障,我必须从一个新的ip地址产生一个新的IP地址,我可以把与Alogging中的主机名相关联的ip地址更改为新的ip地址。
我希望我所有的puppetclient都能够通过Alogging中的主机名连接到新的puppetmaster。
$ dig puppetmaster.mywebsite.com ;; ANSWER SECTION: puppetmaster.mywebsite.com. 300 IN A 1.2.3.4 我的客户有主机名puppetclient-01 ,我的主人有主机名puppetmaster
在我的傀儡客户端,我没有任何将puppetmaster的主机名puppetmaster为/etc/hosts的特定IP的条目,因为如果puppetmaster宕机,我必须从新的ip启动一个新的puppet master,我想避免更改所有/etc/hosts文件在我的客户端。
在/etc/puppet/puppet.conf puppetclient-01的/etc/puppet/puppet.conf ,我对默认的唯一更改是添加
[agent] server = puppetmaster.mywebsite.com
在puppetclient-01运行这个
root@puppetclient-01:~# puppet agent --test info: Creating a new SSL key for puppetclient-01 info: Caching certificate for ca info: Creating a new SSL certificate request for puppetclient-01 info: Certificate Request fingerprint (md5): 12:34:56:78:CB:81:62:2E:5F:AB:40:54:D0:A1:37:95 Exiting; no certificate found and waitforcert is disabled
然后在puppetmaster我运行这个
oot@puppetmaster:~# puppetca --sign puppetclient-01 notice: Signed certificate request for puppetclient-01 notice: Removing file Puppet::SSL::CertificateRequest puppetclient-01 at '/var/lib/puppet/ssl/ca/requests/puppetclient-01.pem'
然后,当我尝试一个木偶跑步时,在puppetclient-01
root@puppetclient-01:~# puppet agent --test info: Caching certificate for puppetclient-01 err: Could not retrieve catalog from remote server: Server hostname 'puppetmaster.mywebsite.com' did not match server certificate; expected puppetmaster warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: Server hostname 'puppetmaster.mywebsite.com' did not match server certificate; expected puppetmaster
为什么我收到错误Server hostname 'puppetmaster.mywebsite.com' did not match server certificate; expected puppetmaster Server hostname 'puppetmaster.mywebsite.com' did not match server certificate; expected puppetmaster ?
在客户端或主etc/puppet/puppet.conf上是否需要在etc/puppet/puppet.conf更改任何指令以使其正常工作?
看起来您在生成主证书时没有使用FQDN。 遵循http://docs.puppetlabs.com/guides/troubleshooting.html :如果sudo puppet master --configprint certname生成puppetmaster而不是puppetmaster.mywebsite.com ,则需要:
重新生成木偶大师的证书:
停止木偶大师。 删除木偶大师的证书,私钥和公钥:
$ sudo find $(puppet master –configprint ssldir)-name“$(puppet master –configprint certname).pem”-delete
编辑木偶大师的/etc/puppet/puppet.conf文件中的certname设置,以匹配木偶大师的实际主机名和该文件中的dns_alt_names设置,以匹配您希望主机需要响应的任何其他DNS名称。 启动一个非守护进程的WEBrick puppet master实例,并等待它生成并签署一个新的证书:
$ sudo puppet master –no-daemonize –verbose
你看到“通知:启动Puppet master版本2.6.9”信息后,应该用ctrl-C停止临时木偶大师。 重新启动木偶大师。