Puppet 设备无法获取本地颁发者证书

tag-icon tag-icon centos puppet openssl puppetmaster puppet-agent
Puppet 设备无法获取本地颁发者证书

我安装了 puppet 4.3 和 centos7,以使用 Puppet Device 管理思科路由器。服务器主机名为“puppetmaster”(通过运行hostnamectl puppetmaster)centos 服务器正在运行 puppet master 和 agent。

设置好一切并配置好 device.conf 后,当我运行 sudo puppet device --debug 时,看到以下错误:

Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster]
Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster]

我可以puppet agent --test在服务器上成功运行:

sudo puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetmaster
Info: Applying configuration version '1449189804'

这是我的 /etc/puppetlabs/puppet/device.conf

[r1]
type cisco
url telnet://puppet:123456@r1/

这是我的 /etc/puppetlabs/puppet/puppet.conf

[master]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
dns_alt_names = puppetmaster

[agent]
certname = puppetmaster
server = puppetmaster

这肯定是某种证书问题,比如名称不匹配,但我不知道是什么原因造成的。代理与主服务器在同一台服务器上运行,我正确设置了所有配置(至少我认为我做到了)。

这是 Puppet 返回的证书:

 sudo puppet cert --print --all | grep CN
        Issuer: CN=Puppet CA: puppetmaster
        Subject: CN=puppetmaster

以下是原始 ca.pem 和 puppetmaster.pem 证书:

openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/ca.pem -noout -text | grep CN
        Issuer: CN=Puppet CA: puppetmaster
        Subject: CN=Puppet CA: puppetmaster
                DirName:/CN=Puppet CA: puppetmaster
openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem -noout -text | grep CN
        Issuer: CN=Puppet CA: puppetmaster
        Subject: CN=puppetmaster

当我运行 openssl 来验证证书时,我看到同样的错误:

sudo openssl verify -CApath /etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem

/etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem: CN = puppetmaster
error 20 at 0 depth lookup:unable to get local issuer certificate

我通过配置设置确认并进行了清理证书的过程(多次)但没有骰子。

答案1

好的,明白了。

正如我所说的,我清除并重新生成了 Puppets 证书,但我没有做的是明确的:

/opt/puppetlabs/puppet/cache/devices/

Puppet 为该设备缓存了一个旧证书,因此它尝试使用该证书而不是生成新的证书。

删除该文件夹的内容后,我就可以运行puppet device

相关内容