我正在使用补鞋匠的木偶,我遇到了证书签名的问题。我已经配置好了,当重新安装木偶管理的机器时,鞋匠会撤销木偶客户端证书。撤销部分运行得很好,puppetmaster列出了新的客户端证书,但是puppetmaster没有签名,因此puppet客户端无法运行。
当我在puppet master上列出所有证书时,这是输出:
# puppet cert list -a
+ "spacewalk" (SHA256) E3:63:F1:9A:10:1E:AD:20:72:DA:17:0E:0F:EB:F5:2B:9E:7E:26:80:8D:58:2E:28:A2:2D:68:01:F7:BD:A8:B3 (alt names: "DNS:puppet", "DNS:puppet.playground.local", "DNS:spacewalk")
- "p1.playground.local" (SHA256) CD:AD:3E:04:04:C0:84:88:A0:67:F7:56:57:F1:67:82:43:31:CE:37:71:10:01:AD:15:DE:5A:0E:2E:7C:63:DE (unable to get local issuer certificate)
当我在puppet客户端上运行puppet agent -t时出现错误:
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run
当我尝试让主人签署证书时,这是错误:
# puppet cert sign p1.playground.local
Error: Could not find certificate request for p1.playground.local
这是在撤销证书后运行puppet agent -t后的错误:
# puppet agent -t
info: Creating a new SSL key for p1.playground.local warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for p1.playground.local
info: Certificate Request fingerprint (md5): 65:F0:6D:8D:66:89:57:13:11:A6:DD:02:DF:DC:C1:7B warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: Could not intern from s: nested asn1 error Exiting; failed to retrieve certificate and waitforcert is disabled
我在客户端删除了/ var / lib / puppet / ssl目录,重新运行puppet agent -t,我得到了与上面相同的错误。
最后,我尝试删除master和client上的/ var / lib / puppet / ssl目录,重新生成证书,一切都很好。即使我可以在开始自动安装之前每次都删除ssl目录,但如果我不必手动安装它会很棒。
感谢任何帮助。
感谢。