Certificate 伪主机未签署证书

我正在使用puppet和cobbler，我在证书签名方面遇到问题。我已经进行了配置，以便cobbler在重新安装傀儡管理的机器时撤销傀儡客户端证书。撤销部分运行正常，puppetmaster列出了一个新的客户端证书，但puppetmaster未能签署该证书，因此puppet客户端无法运行

这是我在puppet master上列出所有证书时的输出：

# puppet cert list -a
+ "spacewalk"               (SHA256) E3:63:F1:9A:10:1E:AD:20:72:DA:17:0E:0F:EB:F5:2B:9E:7E:26:80:8D:58:2E:28:A2:2D:68:01:F7:BD:A8:B3 (alt names: "DNS:puppet", "DNS:puppet.playground.local", "DNS:spacewalk")
- "p1.playground.local" (SHA256) CD:AD:3E:04:04:C0:84:88:A0:67:F7:56:57:F1:67:82:43:31:CE:37:71:10:01:AD:15:DE:5A:0E:2E:7C:63:DE (unable to get local issuer certificate)

这是我在puppet客户端上运行

puppet代理-t

时出现的错误：

err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run

这是我试图让主机对证书进行签名时出现的错误：

# puppet cert sign p1.playground.local
Error: Could not find certificate request for p1.playground.local

# puppet agent -t 
info: Creating a new SSL key for p1.playground.local warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca 
warning: peer certificate won't be verified in this SSL session 
warning: peer certificate won't be verified in this SSL session 
info: Creating a new SSL certificate request for p1.playground.local 
info: Certificate Request fingerprint (md5): 65:F0:6D:8D:66:89:57:13:11:A6:DD:02:DF:DC:C1:7B warning: peer certificate won't be verified in this SSL session 
err: Could not request certificate: Could not intern from s: nested asn1 error Exiting; failed to retrieve certificate and waitforcert is disabled

这是运行puppet agent-t后在撤消证书时出现的错误：

# puppet cert sign p1.playground.local
Error: Could not find certificate request for p1.playground.local

# puppet agent -t 
info: Creating a new SSL key for p1.playground.local warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca 
warning: peer certificate won't be verified in this SSL session 
warning: peer certificate won't be verified in this SSL session 
info: Creating a new SSL certificate request for p1.playground.local 
info: Certificate Request fingerprint (md5): 65:F0:6D:8D:66:89:57:13:11:A6:DD:02:DF:DC:C1:7B warning: peer certificate won't be verified in this SSL session 
err: Could not request certificate: Could not intern from s: nested asn1 error Exiting; failed to retrieve certificate and waitforcert is disabled

我在客户端删除了/var/lib/puppet/ssl目录，重新运行

puppet代理-t

，得到了与上面相同的错误

最后，我尝试删除主机和客户端上的/var/lib/puppet/ssl目录，重新生成证书，一切正常。尽管我每次都可以在开始自动安装之前删除ssl目录，但如果不必手动执行，那就太好了

感谢您的帮助

---

谢谢。

错过了版本。Master运行3.7.4-1和client 2.6.12-0.10.1。您的问题是什么？您必须

撤销Master上的客户端证书，并
清除它，以便为相同名称的新证书让路。然后，重建系统上的代理必须发出证书签名请求（它将在第一次运行时执行），然后主机才能进行签名。@JohnBollinger在kickstart中添加了一个脚本，该脚本将撤销证书。它过去是有用的。抱歉，在我的帖子中，我应该说我撤销并清理了证书，而不仅仅是撤销了它。然后，主傀儡添加了客户端证书，但没有对其签名，这导致客户端上的傀儡无法运行。那是当我试图删除主机和客户端上的
/var/lib/puppet/ssl
目录时，它成功了。我不喜欢手动执行此操作。@FelixFrank我的问题是如何解决每次安装新系统并生成新证书时必须手动删除主机上的
/var/lib/puppet/ssl
目录的问题。我希望客户端上的puppet在操作系统安装完成后自动运行。