Docker puppet中的SSL证书验证失败

我有一个docker容器，里面有傀儡主人。它是从图像

puppet/puppetserver

创建的

CONTAINER ID        IMAGE                 COMMAND                  CREATED             STATUS                    PORTS                    NAMES
1a3e942655e0        puppet/puppetserver   "dumb-init /docker-e…"   32 minutes ago      Up 32 minutes (healthy)   0.0.0.0:8140->8140/tcp   puppet

puppetserver容器的详细信息：

Hostname: puppet
FQDN: puppet.openvpn

Hostname: localhost.localdomain

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.100.2.1 puppetserver

puppet代理正在docker所在主机上的流浪箱中运行。当我从vagrnat框运行

puppet agent-td

时，我得到以下错误-

Info: Creating a new SSL key for localhost.localdomain
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for localhost.localdomain
Info: Certificate Request fingerprint (SHA256): A8:F0:9D:F2:2C:A0:AC:0B:66:55:90:64:64:B2:62:47:7F:DC:F0:18:18:A6:79:C0:BE:1D:00:B6:5E:F4:C3:18
Info: Downloaded certificate for localhost.localdomain from puppetserver
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog; skipping run

流浪傀儡代理人详情：

Hostname: puppet
FQDN: puppet.openvpn

Hostname: localhost.localdomain

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.100.2.1 puppetserver

/etc/hosts:

Hostname: puppet
FQDN: puppet.openvpn

Hostname: localhost.localdomain

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.100.2.1 puppetserver

192.100.2.1->vagrant内主机的ip

/etc/puppetlabs/puppet/puppet.conf

[agent]
server = puppetserver

当我运行

puppet代理-t

时，我能够在主机和日志中看到为流浪傀儡代理生成的签名证书

• 这些证书是否生成错误
• 什么证书在这里被拒绝了

---

根据其配置，代理使用名称“puppetserver”来识别和联系服务器。它的输出证实了这一点

代理成功创建CSR，将其提交到计算机“puppetserver”，并接收签名证书。这表明它正在成功地与服务器联系，并且完全有理由期望服务器将接受它自己刚刚签名的证书

那么，问题大概出在船长证书上。最有可能的是，这与puppetserver机器自我识别为“puppet.openvpn”这一事实有关，因此这可能是主机证书颁发的名称，而代理使用不同的名称与主机联系。证书上的名称与代理对与其对话的机器名称的理解不匹配是代理拒绝证书的良好理由

在一定程度上注意自定义配置的情况下，可以安排主证书使用与其主机名不同的名称。不过，更简单的方法是与用于识别该机器的名称保持一致。沿着这些思路，我建议始终依赖完全限定的名称

另一方面，如果代理彼此具有相同的主机名（即localhost.localdomain），则在继续使用代理时也会遇到问题，除非您再次注意它们的傀儡配置，以确保它们在证书上使用不同的、唯一的名称。阻力最小的方法是给你的机器起一个适当的名字，并且在向傀儡主人注册它们之前就给它们起一个适当的名字