我有一个运行有puppet master的docker容器。它是根据图片puppet/puppetserver创建的。
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1a3e942655e0 puppet/puppetserver "dumb-init /docker-e…" 32 minutes ago Up 32 minutes (healthy) 0.0.0.0:8140->8140/tcp puppet
puppetserver容器的详细信息:
Hostname: puppet
FQDN: puppet.openvpn
The代理正在从与docker相同的主机上的无聊的盒子中运行。从vagrnat框中运行puppet agent -td时,出现以下错误-
Info: Creating a new SSL key for localhost.localdomain
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for localhost.localdomain
Info: Certificate Request fingerprint (SHA256): A8:F0:9D:F2:2C:A0:AC:0B:66:55:90:64:64:B2:62:47:7F:DC:F0:18:18:A6:79:C0:BE:1D:00:B6:5E:F4:C3:18
Info: Downloaded certificate for localhost.localdomain from puppetserver
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog; skipping run
流浪木偶代理人的详细信息:
Hostname: localhost.localdomain
/ etc / hosts:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.100.2.1 puppetserver
192.100.2.1 -> ip of host machine from within vagrant
/etc/puppetlabs/puppet/puppet.conf
[agent]
server = puppetserver
运行puppet agent -t时,我可以在主服务器和日志中看到为流浪木偶代理生成的签名证书。
答案 0 :(得分:1)
根据其配置,代理将使用名称“ puppetserver”来标识并联系服务器。其输出证实了这一点。
代理成功创建了一个CSR,将其提交到计算机“ puppetserver”,并收到签名证书。这表明它已成功与服务器联系,并且有充分的理由期望服务器将接受它刚刚签名的证书。
那么,问题可能出在主人的证书上。最有可能与puppetserver机器将自身标识为“ puppet.openvpn”这一事实有关,因此这很可能是颁发主证书的名称,而代理使用不同的名称来联系主。证书上的名称与座席要与之交谈的计算机的名称概念之间的不匹配是座席拒绝证书的充分原因。
在关注定制配置的情况下,可以安排主证书的名称不同于其自己的主机名名称。不过,更简单的做法是与用来标识该计算机的名称保持一致。因此,我建议始终使用完全合格的名称。
另外,如果您使用彼此具有相同主机名的代理(即localhost.localdomain),也将遇到麻烦,除非再次注意其p配置以确保它们使用不同的代理,其证书上的唯一名称。阻力最小的途径是为您的机器命名,并在向Puppet主服务器注册它们之前 。