Amazon ec2 EC2 Ubuntu 11.10傀儡主机名不匹配错误
我正在尝试使用Ubuntu11.10EC2实例(ami-a562a9cc)配置puppetmaster和puppet客户端。我已启用自动证书签名。但每当我从puppet客户端发出命令时: #puppet代理--服务器puppet--waitforcert 60--测试 证书已签名,但它会引发错误,并且不会运行目录文件 错误消息: 错误:无法从远程服务器检索目录:主机名与服务器证书不匹配 警告:未在失败的目录上使用缓存 错误:无法检索目录;跳绳跑 错误:无法发送报告:主机名与服务器证书不匹配 在PuppetMaster上应用清单文件效果很好,但在PuppetClient上不起作用 我已经在AmazonLinux和Centos上设置了puppet环境,并且在它们上运行良好。但我在Ubuntu 11.10中面临这些问题 谢谢Amazon ec2 EC2 Ubuntu 11.10傀儡主机名不匹配错误,amazon-ec2,certificate,hostname,puppet,ubuntu-11.10,Amazon Ec2,Certificate,Hostname,Puppet,Ubuntu 11.10,我正在尝试使用Ubuntu11.10EC2实例(ami-a562a9cc)配置puppetmaster和puppet客户端。我已启用自动证书签名。但每当我从puppet客户端发出命令时: #puppet代理--服务器puppet--waitforcert 60--测试 证书已签名,但它会引发错误,并且不会运行目录文件 错误消息: 错误:无法从远程服务器检索目录:主机名与服务器证书不匹配 警告:未在失败的目录上使用缓存 错误:无法检索目录;跳绳跑 错误:无法发送报告:主机名与服务器证书不匹配 在P
Sanket Dangi使用标准的x.509 SSL证书进行通信。这些证书与HTTPS中使用的证书相同,因此您可以使用相同的心智模型来考虑它们 此问题几乎总是由puppet代理使用puppet master证书的subject或x.509 alt names字段中未列出的名称引起的 要解决此问题,请扪心自问:“代理用于联系船长的姓名是否列在船长证书中?” 要回答此问题,您应该确定代理用于联系主机的名称。在您的示例中,由于指定了
--server puppetPuppet agent--configprint server% puppet agent --configprint server
puppetmaster.acme.com
--configprintpuppet cert printopenssl x509-text-noout-in…root@pe-centos6:~# puppet cert print $(puppet master --configprint certname)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA generated on pe-centos6.puppetlabs.vm at Tue Jan 3 14:54:26 PST 2012
Validity
Not Before: Jan 2 22:55:16 2012 GMT
Not After : Jan 1 22:55:16 2017 GMT
Subject: CN=pe-centos6.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d2:51:86:31:b0:d8:da:80:1c:b9:e3:74:6b:c0:
2a:3c:b2:1a:dd:2b:1e:14:1d:53:b3:de:06:78:a7:
c2:bb:ad:bc:7e:91:60:01:d5:83:a7:14:c5:55:ea:
09:05:4e:c8:6e:83:93:a2:fb:e6:59:11:c1:05:88:
08:53:85:4f:6b:ef:a4:d6:14:6c:d8:56:e9:7c:79:
30:97:3a:fc:71:26:20:c7:15:5c:1b:d7:9d:e9:35:
08:a8:e2:5d:6c:a3:0d:0b:0e:90:dd:51:15:14:d6:
3f:6e:ab:2d:c8:0d:7f:4a:69:a7:7e:17:a2:d5:59:
be:c4:ba:a8:f7:54:db:b5:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:pe-centos6.localdomain, DNS:puppet
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
88:C4:17:D1:16:FA:0E:F0:E9:AC:00:FC:02:E0:81:53:53:8F:F4:71
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
a2:dc:18:b4:7d:56:4a:5b:22:fc:72:7e:37:a9:cd:05:5b:39:
63:92:75:0b:1f:05:f7:60:2d:85:ea:79:b5:55:ba:b4:e4:6f:
10:00:3b:e2:f0:e2:89:ac:82:5f:2e:c5:45:20:33:75:35:a6:
51:3d:fd:a1:7f:38:6f:9c:71:6f:5f:a4:8d:7d:a7:cc:4e:ed:
f2:46:9c:a4:b1:4f:83:19:e1:57:83:07:ac:54:ce:84:af:48:
7f:ca:52:f2:2b:0f:b1:5a:02:aa:4f:7e:f1:e2:12:77:d2:2f:
6a:b5:92:61:69:1e:c6:10:3e:8e:c3:b9:0d:a7:2a:8b:ff:17:
bc:81
Subject:X509v3 Subject Alternative Name:puppetmaster.acme.com主机名与您收到的服务器证书警告不匹配的警告
要解决此问题,只需使用puppet代理--server
,其中
是主机使用的证书中列出的内容
您不需要重新颁发证书来解决此问题
希望这有帮助。Puppet使用标准的x.509 SSL证书进行通信。这些证书与HTTPS中使用的证书相同,因此您可以使用相同的心智模型来考虑它们
此问题几乎总是由puppet代理使用puppet master证书的subject或x.509 alt names字段中未列出的名称引起的
要解决此问题,请扪心自问:“代理用于联系船长的姓名是否列在船长证书中?”
要回答此问题,您应该确定代理用于联系主机的名称。在您的示例中,由于指定了--server puppet
选项,puppet就是所使用的名称。如果您使用的是您自己没有设置的Puppet部署,您可以使用命令Puppet agent--configprint server
找到配置的名称,该命令应打印回如下内容:
% puppet agent --configprint server
puppetmaster.acme.com
现在我们知道代理正在使用名称“puppetmaster.acme.com”联系主机,接下来的问题是主机的SSL证书中的“is puppetmaster.acme.com”
要回答此问题,请转到Puppet Master并检查正在使用的x.509 SSL证书。这可以通过以下命令完成。此命令使用--configprint
选项查找伪主机正在使用的证书名称。这通常只是主机名。puppet cert print
命令以人类可读的形式打印证书,就像您可能已经熟悉的openssl x509-text-noout-in…
命令一样
root@pe-centos6:~# puppet cert print $(puppet master --configprint certname)
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=Puppet CA generated on pe-centos6.puppetlabs.vm at Tue Jan 3 14:54:26 PST 2012
Validity
Not Before: Jan 2 22:55:16 2012 GMT
Not After : Jan 1 22:55:16 2017 GMT
Subject: CN=pe-centos6.localdomain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:d2:51:86:31:b0:d8:da:80:1c:b9:e3:74:6b:c0:
2a:3c:b2:1a:dd:2b:1e:14:1d:53:b3:de:06:78:a7:
c2:bb:ad:bc:7e:91:60:01:d5:83:a7:14:c5:55:ea:
09:05:4e:c8:6e:83:93:a2:fb:e6:59:11:c1:05:88:
08:53:85:4f:6b:ef:a4:d6:14:6c:d8:56:e9:7c:79:
30:97:3a:fc:71:26:20:c7:15:5c:1b:d7:9d:e9:35:
08:a8:e2:5d:6c:a3:0d:0b:0e:90:dd:51:15:14:d6:
3f:6e:ab:2d:c8:0d:7f:4a:69:a7:7e:17:a2:d5:59:
be:c4:ba:a8:f7:54:db:b5:5f
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:pe-centos6.localdomain, DNS:puppet
X509v3 Basic Constraints: critical
CA:FALSE
Netscape Comment:
Puppet Ruby/OpenSSL Internal Certificate
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
88:C4:17:D1:16:FA:0E:F0:E9:AC:00:FC:02:E0:81:53:53:8F:F4:71
X509v3 Extended Key Usage: critical
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha1WithRSAEncryption
a2:dc:18:b4:7d:56:4a:5b:22:fc:72:7e:37:a9:cd:05:5b:39:
63:92:75:0b:1f:05:f7:60:2d:85:ea:79:b5:55:ba:b4:e4:6f:
10:00:3b:e2:f0:e2:89:ac:82:5f:2e:c5:45:20:33:75:35:a6:
51:3d:fd:a1:7f:38:6f:9c:71:6f:5f:a4:8d:7d:a7:cc:4e:ed:
f2:46:9c:a4:b1:4f:83:19:e1:57:83:07:ac:54:ce:84:af:48:
7f:ca:52:f2:2b:0f:b1:5a:02:aa:4f:7e:f1:e2:12:77:d2:2f:
6a:b5:92:61:69:1e:c6:10:3e:8e:c3:b9:0d:a7:2a:8b:ff:17:
bc:81
关注名为Subject:
和X509v3 Subject Alternative Name:
的两个字段,如果在第一步(puppetmaster.acme.com
)中找到的名称未在这两个字段中列出,则您肯定会收到主机名与您收到的服务器证书警告不匹配的警告
要解决此问题,只需使用puppet代理--server
,其中
是主机使用的证书中列出的内容
您不需要重新颁发证书来解决此问题
希望这能有所帮助。非常感谢提供的信息:)对于ubuntu实例,我使用EC2实例主机名而不是puppet,效果很好:)非常感谢提供的信息:)对于ubuntu实例,我使用EC2实例主机名而不是puppet,效果很好:)