我试图在虚拟机上运行puppet master,并通过虚拟机主机上的端口转发从客户机连接。
细节
我有一个虚拟机运行Ubunto与Puppet 3.1.1(称为mgt )。 虚拟机的主机(称为loki )运行rinetd,将端口8140上的传入连接转发给虚拟机。
我有一个用Puppet 3.0.2的客户机(称为thor )。
使用netcat和telnet进行testing证实端口转发工作正常,并且可以从客户机( thor )连接到puppet主虚拟机( mgt )。
当我用下面的命令运行puppet master(在mgt上 )时,它似乎开始正确:
puppet master --no-daemonize --debug 当我然后运行代理(在thor ),使用以下命令:
puppet agent --server loki --test --no-daemonize
我得到以下错误:
Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost] Info: Retrieving plugin Error: /File[/var/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost] Error: /File[/var/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost] Could not retrieve file metadata for puppet://loki/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost] Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost] Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: localhost]
但是我没有得到傀儡大师的额外输出,表明连接被尝试或拒绝。
我的理解是,木偶大师应该拒绝连接,直到客户的证书被签署。 使用命令puppet set list不会列出任何未签名的证书。
有关如何进行的任何build议?
我的道歉,我误解你的原始错误,似乎主/代理已经变得困惑,看到这个链接的细节。
特别:
傀儡有的服务器证书和傀儡主使用的服务器证书不同。 在纯粹的puppet节点上,一个简单的方法就是删除当前的SSL信息并重新开始:
find/ var / lib / puppet -type f -print0 | xargs -0r rm
同时确保客户端和服务器同意当前时间(否则在另一台机器上创build的证书可能无效)。
以下链接提供了Puppet证书如何工作的非常好的解释: