puppet Forbidden request / puppet-ca / v1 / certificate / ca.

时间:2018-03-09 15:27:54

标签: puppet aws-opsworks puppet-enterprise

我无法让puppet节点加入master,我在AWS云上使用puppet enterprise。

puppetserver --version
puppetserver version: 2017.3.0.38

节点

# puppet agent --test
Error: Could not request certificate: Error 403 on SERVER: Forbidden request: /puppet-ca/v1/certificate/ca (method :get). Please see the server logs for details.
Exiting; failed to retrieve certificate and waitforcert is disabled

显然错误消息与主端的权限有关,当我检查主机上的日志时我看到了

ERROR [qtp2147089302-255] [p.t.a.rules] Forbidden request: 10.0.10.224 access to /puppet-ca/v1/certificate/ca (method :get) (authenticated: false) denied by rule 'puppetlabs certificate'.

但我检查了auth.conf的新HOCON格式是否允许未经过身份验证的节点发送CSR 

{
            "allow-unauthenticated": "*",
            "match-request": {
                "method": "get",
                "path": "/puppet-ca/v1/certificate/",
                "query-params": {},
                "type": "path"
            },
            "name": "puppetlabs certificate",
            "sort-order": 500
        }

我还检查了pe-puppet-server.conf没有使用传统的auth.conf方法

# (optional) Authorize access to Puppet master endpoints via rules specified
# in the legacy Puppet auth.conf file (if true or not specified) or via rules
# specified in the Puppet Server HOCON-formatted auth.conf (if false).
use-legacy-auth-conf: false
max-active-instances: 2
max-requests-per-instance: 0
environment-class-cache-enabled: true

请注意,在Windows和Linux上都会出现同样的错误信息

3 个答案:

答案 0 :(得分:0)

我确实重新启动了整个服务器(ec2实例),因为重装puppetserver没有帮助...我也从控制台进行了auth更改,如此处所示

windows Puppet agent does not connect to the awsopsworks puppet Enterprise master

答案 1 :(得分:0)

在尝试设置人偶节点时,我遇到了类似的问题,但是使用的是Vagrant而不是AWS。

解决方法是取消设置以下环境变量:http_proxyhttps_proxyHTTP_PROXYHTTPS_PROXY

答案 2 :(得分:0)

我的解决方法是从 ' Loop over the Accounts collection of the current Outlook session. Dim accounts As Outlook.Accounts = application.Session.Accounts Dim account As Outlook.Account For Each account In accounts ' When the email address matches, return the account. If account.SmtpAddress = smtpAddress Then Return account End If Next 中删除 server_list,清理 CM 证书并重新生成证书。就我而言,我有 puppet.conf 所以过程是:

  1. 在 CM 上停止 PE:
autosign=true
  1. 删除 ssl 目录
systemctl stop puppet pxp-agent pe-puppetserver pe-puppetdb
  1. 来自小学的清理证书:
rm -fr /etc/puppetlabs/puppet/ssl
  1. 在 CM 上运行 puppet 代理
puppetserver ca clean --certname='<CM>'

完成。

相关问题
最新问题