代码之家 › 专栏 › 技术社区 › leoOrion

puppet中的SSL证书验证失败

puppet vagrant ssl docker

0

leoOrion · 技术社区 · 7 年前

我有一个docker容器,里面有傀儡主人。它是根据图像创建的 puppet/puppetserver .

CONTAINER ID        IMAGE                 COMMAND                  CREATED             STATUS                    PORTS                    NAMES
1a3e942655e0        puppet/puppetserver   "dumb-init /docker-eâ¦"   32 minutes ago      Up 32 minutes (healthy)   0.0.0.0:8140->8140/tcp   puppet

puppetserver容器的详细信息:

Hostname: puppet
FQDN: puppet.openvpn

puppet agent -td 从vagrnat框中,我得到以下错误-

Info: Creating a new SSL key for localhost.localdomain
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for localhost.localdomain
Info: Certificate Request fingerprint (SHA256): A8:F0:9D:F2:2C:A0:AC:0B:66:55:90:64:64:B2:62:47:7F:DC:F0:18:18:A6:79:C0:BE:1D:00:B6:5E:F4:C3:18
Info: Downloaded certificate for localhost.localdomain from puppetserver
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog; skipping run

流浪傀儡代理人详情:

Hostname: localhost.localdomain

/etc/主机:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.100.2.1 puppetserver

192.100.2.1 -> ip of host machine from within vagrant

[agent]
server = puppetserver

当我运行时,我能够在主机和日志中看到为流浪傀儡代理生成的签名证书 puppet agent -t .

1 回复 | 直到 7 年前

1

John Bollinger 7 年前

根据其配置,代理使用名称“puppetserver”来标识和联系服务器。它的输出证实了这一点。

代理成功创建CSR,将其提交到计算机“puppetserver”,并接收签名证书。这表明它正在成功地与服务器联系,并且完全有理由期望服务器将接受它自己刚刚签名的证书。

那么,问题大概出在船长证书上。最有可能的是,这与puppetserver机器自我识别为“puppet.openvpn”这一事实有关,因此这可能是主机证书颁发的名称,而代理使用不同的名称与主机联系。证书上的名称与代理对与其对话的机器名称的理解不匹配是代理拒绝证书的良好理由。

向木偶大师登记。