Centos
Puppet 設備無法獲取本地頒發者證書
我安裝了 puppet 4.3 和 centos7 來使用 Puppet Device 來管理 Cisco 路由器。伺服器主機名為“puppetmaster”(通過執行
hostnamectl puppetmaster
) centos 伺服器正在執行 puppet master 和 agent。在我執行 sudo puppet device –debug 設置所有內容並配置 device.conf 後,我看到以下錯誤:
Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster] Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster]
我可以
puppet agent --test
在伺服器上成功執行:sudo puppet agent --test Info: Using configured environment 'production' Info: Retrieving pluginfacts Info: Retrieving plugin Info: Caching catalog for puppetmaster Info: Applying configuration version '1449189804'
這是我的 /etc/puppetlabs/puppet/device.conf
[r1] type cisco url telnet://puppet:123456@r1/
這是我的 /etc/puppetlabs/puppet/puppet.conf
[master] vardir = /opt/puppetlabs/server/data/puppetserver logdir = /var/log/puppetlabs/puppetserver rundir = /var/run/puppetlabs/puppetserver pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid codedir = /etc/puppetlabs/code dns_alt_names = puppetmaster [agent] certname = puppetmaster server = puppetmaster
這一定是某種證書問題,比如名稱不匹配,但我不知道是什麼原因造成的。代理與主伺服器在同一台伺服器上執行,我正確設置了所有配置(至少我認為我做到了)。
這是 puppet 返回的證書:
sudo puppet cert --print --all | grep CN Issuer: CN=Puppet CA: puppetmaster Subject: CN=puppetmaster
以下是原始的 ca.pem 和 puppetmaster.pem 證書:
openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/ca.pem -noout -text | grep CN Issuer: CN=Puppet CA: puppetmaster Subject: CN=Puppet CA: puppetmaster DirName:/CN=Puppet CA: puppetmaster openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem -noout -text | grep CN Issuer: CN=Puppet CA: puppetmaster Subject: CN=puppetmaster
當我執行 openssl 來驗證證書時,我看到了同樣的錯誤:
sudo openssl verify -CApath /etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem: CN = puppetmaster error 20 at 0 depth lookup:unable to get local issuer certificate
我通過配置設置確認並完成了清理證書(多次)但沒有骰子的過程。
好的,想通了。
正如我所說,我清除並重新生成了 Puppets 證書,但我沒有做的很清楚:
/opt/puppetlabs/puppet/cache/devices/
Puppet 為設備記憶體了一個舊證書,因此它試圖使用那個證書而不是生成一個新證書。
刪除該文件夾的內容後,我能夠執行
puppet device