如何让Puppet提供适当的证书?
我想把我的木偶主人和我的木偶客户联系起来。我在证书方面遇到了麻烦。我最初尝试使用puppetmaster的IP地址(因为我们没有设置DNS),但现在我想当我设置一台新机器以将如何让Puppet提供适当的证书?,puppet,Puppet,我想把我的木偶主人和我的木偶客户联系起来。我在证书方面遇到了麻烦。我最初尝试使用puppetmaster的IP地址(因为我们没有设置DNS),但现在我想当我设置一台新机器以将puppet映射到其IP时,我必须编辑主机文件 所以一旦我这么做了,我仍然有问题。一些背景:在master上,我曾多次尝试删除服务器证书并重新创建一个新证书。我认为这是造成问题的原因,因为日志上说它被撤销了devtest是傀儡代理 这就是我尝试测试代理时发生的情况 [root@devtest puppet]# puppet
puppetdevtest[root@devtest puppet]# puppet agent --test --server puppet
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
systemctl status httpd.service[Fri Aug 01 18:48:49.383002 2014] [ssl:warn] [pid 25661] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Aug 01 18:48:49.383028 2014] [ssl:warn] [pid 25661] AH01909: RSA certificate configured for servername.mydomain.com:8140 does NOT include an ID which matches the server name
[Fri Aug 01 18:48:49.383044 2014] [ssl:emerg] [pid 25661] AH02238: Unable to configure RSA server private key
[Fri Aug 01 18:48:49.383071 2014] [ssl:emerg] [pid 25661] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch
此时,我只是猜测配置文件的设置应该是什么。我假设需要更改一些配置文件——Apache配置或Puppet配置,但此时我不确定正确的证书是什么。我有
/var/lib/puppet/ssl/etc/puppet/ssl- 通过相应的
文件或主机 - 通过
dnsmasq
/etc/puppet/puppet.conf[master]
certname=server.mydomain.com
10.128.119.155SSLCertificateFile /var/lib/puppet/ssl/certs/server.mydomain.com.pem
puppet master--configprint ssldir/var/lib/puppet/ssl你的主人现在应该有一个有效的证书。如果代理通过其FQDN到达它,SSL握手应该会成功。那么主服务器或代理的FQDN也是如此。但不幸的是,正如我所说,我们没有设置DNS,所以我不确定到底需要做什么才能使它工作。我已将
server.mydomain.comSSLCertificateFile /var/lib/puppet/ssl/certs/server.mydomain.com.pem