服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 无法呼叫标志:无法find木偶的证书请求
Intereting Posts
如何测量没有写入时复制页面的内存? 即使它似乎工作Saslauthd LDAP错误 如何将磁盘空间从centos-home移动到centos-root ADpipe理通过2008年企业级PowerShell 如何最好地将完全encryption的驱动器转换为虚拟机? 尾巴,grep和计数在一个命令中find的实例? 具有2个物理nics的ESXi vswitch,是否实际使用两个nics? 使用Webdriver和Chrome浏览器 – 缺less共享库 我在东1号有一个EC2实例,和英雄testing仪一样的地方,为什么ping需要这么长时间? networkingconfiguration/齿轮问题 默认安装中使用的端口号列表 Ubuntu 12,不能改变date和时间 在Active Directory中设置时区 如何使用CloudFormationpipe理VPC关联到Route53托pipe区域? IIS 8.5中的带宽限制不起作用

无法呼叫标志:无法find木偶的证书请求

我使用以下指南开始使用ec2上的puppet。

https://help.ubuntu.com/12.04/serverguide/puppet.html

在最后一步,当我试图从木偶大师签署木偶客户端,我得到以下错误 

root@ip-10-248-27-66:/home/ubuntu# puppetca --sign ec2-54-245-56-210.us-west-2.compute.amazonaws.com err: Could not call sign: Could not find certificate request for ec2-54-245-56-210.us-west-2.compute.amazonaws.com

这是puppetmaster上的/etc/hosts的输出 

 127.0.0.1 localhost puppetmaster 10.248.34.162 ec2-54-245-56-210.us-west-2.compute.amazonaws.com puppet # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts

这是puppet客户端上的/etc/hosts的输出 

 127.0.0.1 localhost 10.248.27.66 ec2-50-112-220-110.us-west-2.compute.amazonaws.com puppetmaster # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts

我按照这里https://serverfault.com/a/388973/85577故障排除的build议

主人在跑? 

 root@ip-10-248-27-66:/home/ubuntu# service puppetmaster status * master is running

主机名“puppet”或“puppet.abc.com”是否从代理商parsing?

我将如何检查这个? 我只是telnet到端口8140 puppetmaster (主机命令不解决它,但telnet命令呢)? 

 root@ip-10-248-34-162:/home/ubuntu# host puppetmaster Host puppetmaster not found: 3(NXDOMAIN)

主从主机上的TCP端口8140是否可到达(尝试:telnet puppet 8140)? 

 root@ip-10-248-34-162:/home/ubuntu# telnet puppetmaster 8140 Trying 10.248.27.66... Connected to ec2-50-112-220-110.us-west-2.compute.amazonaws.com. Escape character is '^]'.

代理上的syslog是什么意思? 

 Apr 11 17:57:41 ip-10-248-34-162 puppet-agent[3897]: Could not request certificate: getaddrinfo: Name or service not known

尝试傀儡代理 – 在代理上testing,代理将尝试连接到主站并停留在前台显示输出。 

 root@ip-10-248-34-162:/home/ubuntu# puppet agent --test err: Could not request certificate: getaddrinfo: Name or service not known Exiting; failed to retrieve certificate and waitforcert is disabled

编辑

感谢dawud,因此/etc/hosts中的条目按照这个命令是正确的 

 $ getent hosts puppetmaster 10.248.27.66 ec2-50-112-220-110.us-west-2.compute.amazonaws.com puppetmaster

但是,当我尝试这个我得到一个错误 

 $ puppet agent --test --waitforcert 5 err: Could not request certificate: Connection refused - connect(2) err: Could not request certificate: Connection refused - connect(2)

检查puppetmaster和客户端机器是否可以解决puppetmaster的FQDN。 为此,需要将puppetmaster IP添加到两台机器的/etc/hosts中,然后使用以下命令进行检查:

$ ping puppetmaster$ getent hosts puppetmaster

检查你是否可以从客户机到达木偶大师

$ telnet puppetmaster 8140

如果服务器拒绝连接,请检查该端口是否在puppetmaster中打开

# iptables -L -n -v

或者添加一个规则,允许传入stream量到这个端口(这取决于iptables已经configuration)

# iptables -A INPUT -p tcp --dport 8140 -m state --state NEW -j ACCEPT

并从客户端运行

# puppet agent --test --waitforcert 5

之后,从傀儡大师那里

# puppet cert list

会显示出你要签的证书,你可以检查它是否属于比较指纹的客户机。 签字:

# puppet cert sign $client

Puppetmaster将编译客户端的目录,您可以按照如何在客户端控制台中应用它。

为了重新生成puppetmaster上的证书,停止ppuppetmaster和

# find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete

当你再次启动puppetmaster时,它会为你重新生成证书。

在客户端,只需删除ssldir的内容,通常是/var/lib/puppet/ssl ,但是如上所述,下次调用

# puppet agent --test --waitforcert 5

它将被重新创build。

最后,用木偶检查木偶的证书的CN

# puppet cert list --all

并将任何名称/ ALT名称匹配到/ etc / hosts中的条目。

在这里讨论的一个事情,以前没有提到的是,有时候,端口可能会performance得很奇怪。 在我的情况下,尽pipe有端口8140在iptables中打开,我得到了无法连接的错误。 帮助我的是以下命令: 

 iptables -F service service iptables save

如果上面的命令与你的用户失败,当然使用sudo 。 我甚至在configuration文件的预置脚本中添加了上述两个命令,这样,如果我暂停/重新创build这些框,iptables就会被刷新。

我遇到了同样的问题,并通过一些不同的调整来解决它。

同样的错误: 

 [root@puppetclient puppet]# puppet agent --server yogesh.puppet.com --no-daemonize --verbose Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140 Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140 Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140 Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140

我尝试了Iptables,端口,防火墙,代理重新安装(而不是主控)的每一件事情。 然后,我开始看更多,发现在日志文件中的东西: 

 I, [2016-04-27T23:21:55.118997 #1745] INFO -- : activemq.rb:139:in `on_ssl_connecting' Establishing SSL session with stomp+ssl://[email protected]:61613 E, [2016-04-27T23:21:55.131678 #1745] ERROR -- : activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://[email protected]:61613 failed: SSL_CTX_use_PrivateKey: key values mismatch I, [2016-04-27T23:21:55.132438 #1745] INFO -- : activemq.rb:129:in `on_connectfail' TCP Connection to stomp+ssl://[email protected]:61613 failed on attempt 36 I, [2016-04-27T23:22:25.141892 #1745] INFO -- : activemq.rb:139:in `on_ssl_connecting' Establishing SSL session with stomp+ssl://[email protected]:61613 E, [2016-04-27T23:22:25.144644 #1745] ERROR -- : activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://[email protected]:61613 failed: SSL_CTX_use_PrivateKey: key values mismatch I, [2016-04-27T23:22:25.144836 #1745] INFO -- : activemq.rb:129:in `on_connectfail' TCP Connection to stomp+ssl://[email protected]:61613 failed on attempt 37

这给了我主服务器上证书的指示。 我重新创build了主密钥,它为我工作。

警告:这是我唯一的testing环境,不要直接在生产环境中使用它。 

 [root@YogeshRaheja init.d]# puppet cert clean "yogesh.puppet.com" Notice: Revoked certificate with serial 11 Notice: Removing file Puppet::SSL::Certificate yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/ca/signed/yogesh.puppet.com.pem' Notice: Removing file Puppet::SSL::Certificate yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/certs/yogesh.puppet.com.pem' Notice: Removing file Puppet::SSL::CertificateRequest yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/certificate_requests/yogesh.puppet.com.pem' Notice: Removing file Puppet::SSL::Key yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/private_keys/yogesh.puppet.com.pem' [root@YogeshRaheja init.d]# puppet cert generate yogesh.puppet.com Notice: yogesh.puppet.com has a waiting certificate request Notice: Signed certificate request for yogesh.puppet.com Notice: Removing file Puppet::SSL::CertificateRequest yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/ca/requests/yogesh.puppet.com.pem' Notice: Removing file Puppet::SSL::CertificateRequest yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/certificate_requests/yogesh.puppet.com.pem' [root@YogeshRaheja init.d]# ./pe-puppetserver start Starting pe-puppetserver: [ OK ] [root@YogeshRaheja init.d]# [root@YogeshRaheja init.d]# [root@YogeshRaheja init.d]# netstat -an | grep -i listen tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 :::4433 :::* LISTEN tcp 0 0 :::8081 :::* LISTEN tcp 0 0 :::22 :::* LISTEN tcp 0 0 ::1:631 :::* LISTEN tcp 0 0 :::5432 :::* LISTEN tcp 0 0 ::1:25 :::* LISTEN tcp 0 0 :::42632 :::* LISTEN tcp 0 0 :::8140 :::* LISTEN tcp 0 0 :::61613 :::* LISTEN

并解决了客户端连接问题。