我有两台机器,木偶大师 – 主机名puppet – 和一个孤独的客户端,主机名git 。 主机上的木偶代理没有问题。 git上的代理程序失败,出现'400没有发送必需的SSL证书'。 首先,木偶大师的configuration,这是一个瘦/ nginx事件:
puppet:~# ruby -v ruby 1.9.2p0 (2010-08-18 revision 29036) [i486-linux] puppet:~# puppet --version 2.7.9 puppet:~# cat /etc/nginx/sites-enabled/default server { listen puppet:8140; ssl on; ssl_certificate /var/lib/puppet/ssl/certs/puppet.pem; ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.pem; ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP; ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem; ssl_verify_client on; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Client-Verify $ssl_client_verify; proxy_set_header X-Client-Verify SUCCESS; proxy_set_header X-Client-DN $ssl_client_s_dn; proxy_set_header X-SSL-Subject $ssl_client_s_dn; proxy_set_header X-SSL-Issuer $ssl_client_i_dn; default_type application/x-raw; location /production/file_content/ { rewrite ^/production/file_content/modules/([^/]+)/(.*) /$1/files/$2; break; root /etc/puppet/modules/; } location / { proxy_pass http://puppet-production; } } # cat /etc/nginx/conf.d/puppet-production-upstream.conf upstream puppet-production { server unix:/var/run/puppet/master.00.sock; server unix:/var/run/puppet/master.01.sock; server unix:/var/run/puppet/master.02.sock; } puppet:~# cat /etc/supervisor/conf.d/puppetmaster.conf # This file is autogenerated by Puppet. Manual changes will be overwritten! [program:puppetmaster] command=/usr/bin/thin start -e development --socket /var/run/puppet/master.%(process_num)02d.sock --user puppet --group puppet --chdir /etc/puppet -R /etc/puppet/config.ru process_name=%(program_name)s_%(process_num)02d numprocs=3 priority=999 autostart=true autorestart=unexpected startsecs=3 startretries=3 exitcodes=0,2 stopsignal=TERM stopwaitsecs=10 redirect_stderr=false stdout_logfile=/var/log/supervisor/puppetmaster/puppetmaster.out stdout_logfile_maxbytes=250MB stdout_logfile_backups=10 stderr_logfile=/var/log/supervisor/puppetmaster/puppetmaster.err stderr_logfile_maxbytes=250MB stderr_logfile_backups=10 puppet:~# cat /etc/puppet/puppet.conf [main] ssldir=$vardir/ssl [master] certname=puppet
在这里应用这个解决scheme时,我只能在尝试向puppet master引入git时候才能获得git agent:
git:~# puppet agent --waitforcert 30 --test err: Could not request certificate: Error 400 on SERVER: <html> <head><title>400 No required SSL certificate was sent</title></head> <body bgcolor="white"> <center><h1>400 Bad Request</h1></center> <center>No required SSL certificate was sent</center> <hr><center>nginx/1.1.8</center> </body> </html>
此资源build议在其模拟SSL连接部分运行,从我的git框:
openssl s_client -host puppet -port 8140 -cert /var/lib/puppet/ssl/certs/git.troutwine.us.pem -key /var/lib/puppet/ssl/private_keys/git.troutwine.us.pem -CAfile /var/lib/puppet/ssl/certs/ca.pem
这个问题是我缺less/var/lib/puppet/ssl/certs/git.troutwine.us.pem :
git:~# tree /var/lib/puppet/ssl/ /var/lib/puppet/ssl/ ├── certificate_requests ├── certs │ └── ca.pem ├── private ├── private_keys │ └── git.troutwine.us.pem └── public_keys └── git.troutwine.us.pem
普通老webrick puppetmasterd工作得很好 – 这只是nginx / puppet组合,让我失望。 这两台机器都运行ntpd,并有一个可接受的时间差。 我究竟做错了什么?
#puppet频道中的#puppetbuild议将ssl_verify_client修改为“可选”,而不是“打开”。 我已经做到了,现在一切都很好。
我自己确信这是一件坏事,但在纽尔的build议之后,我不记得为什么。 如果有人相信这是一个不理想的configuration设置,请让我知道。
如果你在master上运行一个puppet代理,你应该确保它们不共享SSL目录。 我已经看到了从configuration奇怪的东西的结果。
我的/etc/puppet/puppet.conf片段:
[main] # Where SSL certificates are kept for the puppet master and other # subcommands. # Note that this is a global setting because most of the subcommands # other than 'agent' are only valid in puppetmaster context. # The default value is '$confdir/ssl'. vardir = /var/lib/puppetmaster ssldir = $vardir/ssl [agent] # The var & SSL dir for the agent; listed explicitly because the master # and other subcommands intended for the master should use # the different SSL state. # The default value is '$confdir/ssl'. vardir = /var/lib/puppet ssldir = $vardir/ssl