无法重新加载 Puppet 配置 -> 无法连接到 Puppet 服务器
Can't reload Puppet configuration -> inability to connect to Puppet Server
我正在使用两个 Vagrant VM 来测试 Puppet 的某些内容,但是当我去申请证书时,我收到一条神秘的错误消息,我找不到任何相关信息。
我应该注意,为了与良好的 Linux 服务器管理相对应,我使用 /var/ 和 /opt/ 来存储敏感的证书信息,否则使用标准的 Puppet 设置。
# Client node details
IP: 192.168.250.10
Hostname: client.example.com
Puppet version: 4.3.2
OS: CentOS Linux release 7.0.1406 (on Vagrant)
# Puppet server details
IP: 192.168.250.6
Hostname: puppet-server.example.com
Puppet version: 4.3.2
OS: CentOS Linux release 7.0.1406 (on Vagrant)
# client's and server's /etc/hosts files are identical
192.168.250.5 puppetmaster.example.com
192.168.250.6 puppet.example.com puppet-server.example.com
192.168.250.7 dashserver.example.com dashboard.example.com
192.168.250.10 client.example.com
192.168.250.20 webserver.example.com
# /etc/puppetlabs/puppet/puppet.conf on both client and server
[main]
logdest = syslog
[user]
bucketdir = $clientbucketdir
vardir = /var/opt/puppetlabs/server
ssldir = $vardir/ssl
[agent]
server = puppet.example.com
[master]
certname = puppet.example.com
vardir = /var/opt/puppetlabs/puppetserver
ssldir = $vardir/ssl
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
trusted_server_facts = true
reports = store
cacert = /var/opt/puppetlabs/puppetserver/ssl/certs/ca.pem
cacrl = /var/opt/puppetlabs/puppetserver/ssl/crl.pem
hostcert = /var/opt/puppetlabs/puppetserver/ssl/certs/{puppet, client}.example.com.pem # respectively, obviously
hostprivkey = /var/opt/puppetlabs/puppetserver/ssl/private_keys/{puppet, client}.example.com.pem # respectively, obviously
最后,我得到的错误是:
$ sudo puppet resource service puppet ensure=stopped enable=false
Notice: /Service[puppet]/ensure: ensure changed 'running' to 'stopped'
service { 'puppet':
ensure => 'stopped',
enable => 'false',
}
$ sudo puppet resource service puppet ensure=running enable=true
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
ensure => 'running',
enable => 'true',
}
$ puppet agent --test --server=puppet.example.com
Error: Could not request certificate: Permission denied @ dir_initialize - /etc/puppetlabs/puppet/ssl/private_keys
Exiting; failed to retrieve certificate and waitforcert is disabled
首先,使用此设置 Puppet 不应使用 /etc/puppetlabs/puppet/ssl/private_keys。它没有正确使用我的配置文件:
$ puppet config print ssldir
/etc/puppetlabs/puppet/ssl
接下来,我在服务器和客户端节点 as prescribed in the Puppet docs 上检查并重新生成了密钥,但是我仍然遇到相同的错误,客户端和服务器仍然认为我的 $ssldir 是/etc/puppetlabs/puppet/ssl 应该是 /var/opt/puppetlabs/puppetserver/ssl.
有什么想法吗?
您需要在代理部分以及主服务器中指定 ssl 和 vardir 配置。
the user section is only applicable to the puppet apply commands etc
我正在使用两个 Vagrant VM 来测试 Puppet 的某些内容,但是当我去申请证书时,我收到一条神秘的错误消息,我找不到任何相关信息。
我应该注意,为了与良好的 Linux 服务器管理相对应,我使用 /var/ 和 /opt/ 来存储敏感的证书信息,否则使用标准的 Puppet 设置。
# Client node details
IP: 192.168.250.10
Hostname: client.example.com
Puppet version: 4.3.2
OS: CentOS Linux release 7.0.1406 (on Vagrant)
# Puppet server details
IP: 192.168.250.6
Hostname: puppet-server.example.com
Puppet version: 4.3.2
OS: CentOS Linux release 7.0.1406 (on Vagrant)
# client's and server's /etc/hosts files are identical
192.168.250.5 puppetmaster.example.com
192.168.250.6 puppet.example.com puppet-server.example.com
192.168.250.7 dashserver.example.com dashboard.example.com
192.168.250.10 client.example.com
192.168.250.20 webserver.example.com
# /etc/puppetlabs/puppet/puppet.conf on both client and server
[main]
logdest = syslog
[user]
bucketdir = $clientbucketdir
vardir = /var/opt/puppetlabs/server
ssldir = $vardir/ssl
[agent]
server = puppet.example.com
[master]
certname = puppet.example.com
vardir = /var/opt/puppetlabs/puppetserver
ssldir = $vardir/ssl
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
trusted_server_facts = true
reports = store
cacert = /var/opt/puppetlabs/puppetserver/ssl/certs/ca.pem
cacrl = /var/opt/puppetlabs/puppetserver/ssl/crl.pem
hostcert = /var/opt/puppetlabs/puppetserver/ssl/certs/{puppet, client}.example.com.pem # respectively, obviously
hostprivkey = /var/opt/puppetlabs/puppetserver/ssl/private_keys/{puppet, client}.example.com.pem # respectively, obviously
最后,我得到的错误是:
$ sudo puppet resource service puppet ensure=stopped enable=false
Notice: /Service[puppet]/ensure: ensure changed 'running' to 'stopped'
service { 'puppet':
ensure => 'stopped',
enable => 'false',
}
$ sudo puppet resource service puppet ensure=running enable=true
Notice: /Service[puppet]/ensure: ensure changed 'stopped' to 'running'
service { 'puppet':
ensure => 'running',
enable => 'true',
}
$ puppet agent --test --server=puppet.example.com
Error: Could not request certificate: Permission denied @ dir_initialize - /etc/puppetlabs/puppet/ssl/private_keys
Exiting; failed to retrieve certificate and waitforcert is disabled
首先,使用此设置 Puppet 不应使用 /etc/puppetlabs/puppet/ssl/private_keys。它没有正确使用我的配置文件:
$ puppet config print ssldir
/etc/puppetlabs/puppet/ssl
接下来,我在服务器和客户端节点 as prescribed in the Puppet docs 上检查并重新生成了密钥,但是我仍然遇到相同的错误,客户端和服务器仍然认为我的 $ssldir 是/etc/puppetlabs/puppet/ssl 应该是 /var/opt/puppetlabs/puppetserver/ssl.
有什么想法吗?
您需要在代理部分以及主服务器中指定 ssl 和 vardir 配置。
the user section is only applicable to the puppet apply commands etc