[英]SSL certificate verification failure in puppet
I have a docker container running with puppet master in it. 我有一个运行着木偶大师的Docker容器。 Its created from the image
puppet/puppetserver
. 它是从映像
puppet/puppetserver
创建的。
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1a3e942655e0 puppet/puppetserver "dumb-init /docker-e…" 32 minutes ago Up 32 minutes (healthy) 0.0.0.0:8140->8140/tcp puppet
Details of the puppetserver container: puppetserver容器的详细信息:
Hostname: puppet
FQDN: puppet.openvpn
The puppet agent is running from a vagrant box on the same host as the docker. 人偶代理程序从与docker相同的主机上的游民机箱中运行。 When I run
puppet agent -td
from the vagrnat box I get the following error - 当我从vagrnat框中运行
puppet agent -td
时,出现以下错误-
Info: Creating a new SSL key for localhost.localdomain
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for localhost.localdomain
Info: Certificate Request fingerprint (SHA256): A8:F0:9D:F2:2C:A0:AC:0B:66:55:90:64:64:B2:62:47:7F:DC:F0:18:18:A6:79:C0:BE:1D:00:B6:5E:F4:C3:18
Info: Downloaded certificate for localhost.localdomain from puppetserver
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppet.openvpn]
Error: Could not retrieve catalog; skipping run
Details of vagrant puppet agent: 无业游民的木偶代理人详情:
Hostname: localhost.localdomain
/etc/hosts: / etc / hosts中:
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.100.2.1 puppetserver
192.100.2.1 -> ip of host machine from within vagrant
/etc/puppetlabs/puppet/puppet.conf /etc/puppetlabs/puppet/puppet.conf
[agent]
server = puppetserver
I am able to see the signed certificates generated for the vagrant puppet agent in the master and also in the logs when I run puppet agent -t
. 运行
puppet agent -t
时,我可以在主服务器和日志中看到为流浪木偶代理生成的签名证书。
Per its configuration, the agent is using the name 'puppetserver' to identify and contact the server. 根据其配置,代理使用名称“ puppetserver”来标识并联系服务器。 Its output confirms this.
它的输出证实了这一点。
The agent successfully creates a CSR, submits it to machine 'puppetserver', and receives a signed certificate. 代理成功创建了CSR,将其提交到计算机“ puppetserver”,并收到签名证书。 This shows that it is contacting the server successfully, and there is every reason to expect that the server will accept the cert that it just signed itself.
这表明它已成功与服务器联系,并且有充分理由期望服务器将接受它刚刚签名的证书。
Presumably, then, the problem is with the master's certificate. 那么,大概是主机证书存在问题。 Most likely, it is related to the fact that the puppetserver machine self-identifies as 'puppet.openvpn', so this is probably the name to which the master's certificate is issued, whereas the agent uses a different name to contact the master.
最有可能与puppetserver机器将自身标识为“ puppet.openvpn”这一事实有关,因此这很可能是颁发主证书的名称,而代理使用不同的名称来联系主。 A mismatch between the name on the cert and the agent's idea of the name of the machine it's talking to is good reason for the agent to reject the cert.
证书上的名称与代理与之交谈的计算机名称的概念不匹配是代理拒绝证书的充分原因。
It is possible, with some attention to custom configuration, to arrange for the master's certificate to bear a different name than its own idea of its host name. 在一定程度上关注自定义配置的情况下,可以安排主证书的名称不同于其自己的主机名名称。 Easier, though, is to just be consistent with the name used to identify that machine.
不过,更简单的做法是与用来标识该计算机的名称保持一致。 And along those lines, I recommend relying consistently on fully-qualified names.
因此,我建议始终使用完全合格的名称。
As a separate matter, you'll also run into trouble going forward with agents that have the same hostname as each other (ie localhost.localdomain) unless, again, you take care with their puppet configuration to ensure that they use different, unique names on their certificates. 另外,如果您使用彼此具有相同主机名的代理(即localhost.localdomain),也将遇到麻烦,除非再次注意其p配置以确保它们使用不同的唯一名称在他们的证书上。 The path of least resistance is to give proper names to your machines, and to do so before registering them with a Puppet master.
阻力最小的途径是为您的机器命名,并在向Puppet主服务器注册它们之前进行命名。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.