我必须有2个具有一个主配置的代理节点。证书正常签署。我在主人puppet apply site.pp上运行了清单,一切都很顺利。但是,没有代理执行清单,所以我跑了其中一个:
sudo puppet agent -t输出Notice: Skipping run of Puppet configuration client; administratively disabled (Reason: 'Disabled by default on new or unconfigured old installations');
Use 'puppet agent --enable' to re-enable.
所以我跑了sudo puppet agent --enable,然后再跑sudo puppet agent -t --debug。这是输出
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
Info: Retrieving pluginfacts
Debug: Failed to load library 'msgpack' for feature 'msgpack'
Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
Debug: file_metadata supports formats: pson b64_zlib_yaml yaml raw
Debug: Creating new connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Debug: Starting connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
Debug: Failed to load library 'msgpack' for feature 'msgpack'
Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
Debug: file_metadata supports formats: pson b64_zlib_yaml yaml raw
Debug: Creating new connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Debug: Starting connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://cluster-b665-m.europe-west1-b.c.some_project-182409.internal/pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
Wrapped exception:
...
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
Debug: Finishing transaction 29645260
Debug: Loading external facts from /var/lib/puppet/facts.d
Debug: Failed to load library 'msgpack' for feature 'msgpack'
Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
Debug: catalog supports formats: pson b64_zlib_yaml yaml dot raw
Debug: Creating new connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Debug: Starting connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Debug: Executing '/etc/puppet/etckeeper-commit-post'
Debug: Creating new connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Debug: Starting connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
我该如何处理?
答案 0 :(得分:0)
这可能有很多。它是否正在侦听相应的端口以允许此服务器向您的代理发出SSL,或以其他方式阻止它(firewall / iptables / etc.)?
这些都只是猜测,但看起来您的代理未连接到主服务器或SSL证书有问题。您可能需要从目录中删除ssl并重新签名/重新签名。我首先要确保代理能够连接到活动主服务器,并运行'puppet cert list --all'并查看该代理是否存在任何问题,或者代理是否有证书。掌握一切。
要手动删除和重新颁发证书,您可以查看我的回答here