Centos

Puppet 設備無法獲取本地頒發者證書

  • December 4, 2015

我安裝了 puppet 4.3 和 centos7 來使用 Puppet Device 來管理 Cisco 路由器。伺服器主機名為“puppetmaster”(通過執行hostnamectl puppetmaster) centos 伺服器正在執行 puppet master 和 agent。

在我執行 sudo puppet device –debug 設置所有內容並配置 device.conf 後,我看到以下錯誤:

Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster]
Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster]

我可以puppet agent --test在伺服器上成功執行:

sudo puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetmaster
Info: Applying configuration version '1449189804'

這是我的 /etc/puppetlabs/puppet/device.conf

[r1]
type cisco
url telnet://puppet:123456@r1/

這是我的 /etc/puppetlabs/puppet/puppet.conf

[master]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
dns_alt_names = puppetmaster

[agent]
certname = puppetmaster
server = puppetmaster

這一定是某種證書問題,比如名稱不匹配,但我不知道是什麼原因造成的。代理與主伺服器在同一台伺服器上執行,我正確設置了所有配置(至少我認為我做到了)。

這是 puppet 返回的證書:

sudo puppet cert --print --all | grep CN
       Issuer: CN=Puppet CA: puppetmaster
       Subject: CN=puppetmaster

以下是原始的 ca.pem 和 puppetmaster.pem 證書:

openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/ca.pem -noout -text | grep CN
       Issuer: CN=Puppet CA: puppetmaster
       Subject: CN=Puppet CA: puppetmaster
               DirName:/CN=Puppet CA: puppetmaster
openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem -noout -text | grep CN
       Issuer: CN=Puppet CA: puppetmaster
       Subject: CN=puppetmaster

當我執行 openssl 來驗證證書時,我看到了同樣的錯誤:

sudo openssl verify -CApath /etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem

/etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem: CN = puppetmaster
error 20 at 0 depth lookup:unable to get local issuer certificate

我通過配置設置確認並完成了清理證書(多次)但沒有骰子的過程。

好的,想通了。

正如我所說,我清除並重新生成了 Puppets 證書,但我沒有做的很清楚:

/opt/puppetlabs/puppet/cache/devices/

Puppet 為設備記憶體了一個舊證書,因此它試圖使用那個證書而不是生成一個新證書。

刪除該文件夾的內容後,我能夠執行puppet device

引用自:https://serverfault.com/questions/740865