我无法让puppet节点加入master,我在AWS云上使用puppet enterprise。
主
puppetserver --version
puppetserver version: 2017.3.0.38
节点
# puppet agent --test
Error: Could not request certificate: Error 403 on SERVER: Forbidden request: /puppet-ca/v1/certificate/ca (method :get). Please see the server logs for details.
Exiting; failed to retrieve certificate and waitforcert is disabled
显然错误消息与主端的权限有关,当我检查主机上的日志时我看到了
ERROR [qtp2147089302-255] [p.t.a.rules] Forbidden request: 10.0.10.224 access to /puppet-ca/v1/certificate/ca (method :get) (authenticated: false) denied by rule 'puppetlabs certificate'.
但我检查了auth.conf的新HOCON格式是否允许未经过身份验证的节点发送CSR
{
"allow-unauthenticated": "*",
"match-request": {
"method": "get",
"path": "/puppet-ca/v1/certificate/",
"query-params": {},
"type": "path"
},
"name": "puppetlabs certificate",
"sort-order": 500
}
我还检查了pe-puppet-server.conf没有使用传统的auth.conf方法
# (optional) Authorize access to Puppet master endpoints via rules specified
# in the legacy Puppet auth.conf file (if true or not specified) or via rules
# specified in the Puppet Server HOCON-formatted auth.conf (if false).
use-legacy-auth-conf: false
max-active-instances: 2
max-requests-per-instance: 0
environment-class-cache-enabled: true
请注意,在Windows和Linux上都会出现同样的错误信息
答案 0 :(得分:0)
我确实重新启动了整个服务器(ec2实例),因为重装puppetserver没有帮助...我也从控制台进行了auth更改,如此处所示
windows Puppet agent does not connect to the awsopsworks puppet Enterprise master
答案 1 :(得分:0)
在尝试设置人偶节点时,我遇到了类似的问题,但是使用的是Vagrant而不是AWS。
解决方法是取消设置以下环境变量:http_proxy
,https_proxy
,HTTP_PROXY
和HTTPS_PROXY
。
答案 2 :(得分:0)
我的解决方法是从 ' Loop over the Accounts collection of the current Outlook session.
Dim accounts As Outlook.Accounts = application.Session.Accounts
Dim account As Outlook.Account
For Each account In accounts
' When the email address matches, return the account.
If account.SmtpAddress = smtpAddress Then
Return account
End If
Next
中删除 server_list
,清理 CM 证书并重新生成证书。就我而言,我有 puppet.conf
所以过程是:
autosign=true
systemctl stop puppet pxp-agent pe-puppetserver pe-puppetdb
rm -fr /etc/puppetlabs/puppet/ssl
puppetserver ca clean --certname='<CM>'
完成。