Puppet 中的 SSL 证书验证失败
SSL certificate verification failure in puppet
我有一个 docker 容器 运行 人偶大师在里面。它是根据图像 puppet/puppetserver.
创建的
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1a3e942655e0 puppet/puppetserver "dumb-init /docker-e…" 32 minutes ago Up 32 minutes (healthy) 0.0.0.0:8140->8140/tcp puppet
puppetserver容器的详细信息:
Hostname: puppet
FQDN: puppet.openvpn
人偶代理 运行 来自与 docker 同一主机上的流浪箱。当我从 vagrnat 框中 运行 puppet agent -td 时,我收到以下错误 -
Info: Creating a new SSL key for localhost.localdomain
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for localhost.localdomain
Info: Certificate Request fingerprint (SHA256): A8:F0:9D:F2:2C:A0:AC:0B:66:55:90:64:64:B2:62:47:7F:DC:F0:18:18:A6:79:C0:BE:1D:00:B6:5E:F4:C3:18
Info: Downloaded certificate for localhost.localdomain from puppetserver
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog; skipping run
流浪傀儡特工详情:
Hostname: localhost.localdomain
/etc/hosts:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.100.2.1 puppetserver
192.100.2.1 -> ip of host machine from within vagrant
/etc/puppetlabs/puppet/puppet.conf
[agent]
server = puppetserver
当我 运行 puppet agent -t 时,我能够在 master 和日志中看到为 vagrant puppet agent 生成的签名证书。
- 这些证书是否生成错误?
- 什么证书在这里被拒绝了?
根据其配置,代理使用名称 'puppetserver' 来识别和联系服务器。它的输出证实了这一点。
代理成功创建 CSR,将其提交到计算机 'puppetserver',并收到签名证书。这表明它正在成功联系服务器,并且有充分的理由期望服务器会接受它刚刚签署的证书。
那么估计是师傅证的问题。最有可能的是,它与 puppetserver 机器自我标识为 'puppet.openvpn' 的事实有关,因此这可能是颁发 master 证书的名称,而代理使用不同的名称来联系 master。证书上的名称与代理认为与之通信的机器名称不匹配是代理拒绝证书的充分理由。
通过对自定义配置的一些注意,可以安排主人的证书使用与它自己的主机名想法不同的名称。不过,更简单的方法是与用于识别该机器的名称保持一致。沿着这些思路,我建议始终依赖完全限定名称。
作为一个单独的问题,你也会 运行 在使用彼此具有相同主机名(即 localhost.localdomain)的代理时遇到麻烦,除非你再次注意他们puppet 配置以确保他们在证书上使用不同的唯一名称。阻力最小的方法是为您的机器指定适当的名称,并在 向 Puppet master 注册它们之前这样做。
我有一个 docker 容器 运行 人偶大师在里面。它是根据图像 puppet/puppetserver.
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1a3e942655e0 puppet/puppetserver "dumb-init /docker-e…" 32 minutes ago Up 32 minutes (healthy) 0.0.0.0:8140->8140/tcp puppet
puppetserver容器的详细信息:
Hostname: puppet
FQDN: puppet.openvpn
人偶代理 运行 来自与 docker 同一主机上的流浪箱。当我从 vagrnat 框中 运行 puppet agent -td 时,我收到以下错误 -
Info: Creating a new SSL key for localhost.localdomain
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for localhost.localdomain
Info: Certificate Request fingerprint (SHA256): A8:F0:9D:F2:2C:A0:AC:0B:66:55:90:64:64:B2:62:47:7F:DC:F0:18:18:A6:79:C0:BE:1D:00:B6:5E:F4:C3:18
Info: Downloaded certificate for localhost.localdomain from puppetserver
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog; skipping run
流浪傀儡特工详情:
Hostname: localhost.localdomain
/etc/hosts:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.100.2.1 puppetserver
192.100.2.1 -> ip of host machine from within vagrant
/etc/puppetlabs/puppet/puppet.conf
[agent]
server = puppetserver
当我 运行 puppet agent -t 时,我能够在 master 和日志中看到为 vagrant puppet agent 生成的签名证书。
- 这些证书是否生成错误?
- 什么证书在这里被拒绝了?
根据其配置,代理使用名称 'puppetserver' 来识别和联系服务器。它的输出证实了这一点。
代理成功创建 CSR,将其提交到计算机 'puppetserver',并收到签名证书。这表明它正在成功联系服务器,并且有充分的理由期望服务器会接受它刚刚签署的证书。
那么估计是师傅证的问题。最有可能的是,它与 puppetserver 机器自我标识为 'puppet.openvpn' 的事实有关,因此这可能是颁发 master 证书的名称,而代理使用不同的名称来联系 master。证书上的名称与代理认为与之通信的机器名称不匹配是代理拒绝证书的充分理由。
通过对自定义配置的一些注意,可以安排主人的证书使用与它自己的主机名想法不同的名称。不过,更简单的方法是与用于识别该机器的名称保持一致。沿着这些思路,我建议始终依赖完全限定名称。
作为一个单独的问题,你也会 运行 在使用彼此具有相同主机名(即 localhost.localdomain)的代理时遇到麻烦,除非你再次注意他们puppet 配置以确保他们在证书上使用不同的唯一名称。阻力最小的方法是为您的机器指定适当的名称,并在 向 Puppet master 注册它们之前这样做。