我安装了 puppet 4.3 和 centos7,以使用 Puppet Device 管理思科路由器。服务器主机名为“puppetmaster”(通过运行hostnamectl puppetmaster
)centos 服务器正在运行 puppet master 和 agent。
设置好一切并配置好 device.conf 后,当我运行 sudo puppet device --debug 时,看到以下错误:
Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster]
Error: /File[/opt/puppetlabs/puppet/cache/devices/r1/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=puppetmaster]
我可以puppet agent --test
在服务器上成功运行:
sudo puppet agent --test
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for puppetmaster
Info: Applying configuration version '1449189804'
这是我的 /etc/puppetlabs/puppet/device.conf
[r1]
type cisco
url telnet://puppet:123456@r1/
这是我的 /etc/puppetlabs/puppet/puppet.conf
[master]
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
dns_alt_names = puppetmaster
[agent]
certname = puppetmaster
server = puppetmaster
这肯定是某种证书问题,比如名称不匹配,但我不知道是什么原因造成的。代理与主服务器在同一台服务器上运行,我正确设置了所有配置(至少我认为我做到了)。
这是 Puppet 返回的证书:
sudo puppet cert --print --all | grep CN
Issuer: CN=Puppet CA: puppetmaster
Subject: CN=puppetmaster
以下是原始 ca.pem 和 puppetmaster.pem 证书:
openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/ca.pem -noout -text | grep CN
Issuer: CN=Puppet CA: puppetmaster
Subject: CN=Puppet CA: puppetmaster
DirName:/CN=Puppet CA: puppetmaster
openssl x509 -in /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem -noout -text | grep CN
Issuer: CN=Puppet CA: puppetmaster
Subject: CN=puppetmaster
当我运行 openssl 来验证证书时,我看到同样的错误:
sudo openssl verify -CApath /etc/puppetlabs/puppet/ssl/certs/ca.pem /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem
/etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem: CN = puppetmaster
error 20 at 0 depth lookup:unable to get local issuer certificate
我通过配置设置确认并进行了清理证书的过程(多次)但没有骰子。
答案1
好的,明白了。
正如我所说的,我清除并重新生成了 Puppets 证书,但我没有做的是明确的:
/opt/puppetlabs/puppet/cache/devices/
Puppet 为该设备缓存了一个旧证书,因此它尝试使用该证书而不是生成新的证书。
删除该文件夹的内容后,我就可以运行puppet device