無法從Puppet主服務器檢索Puppet代理SSL證書

Question

我已經配置了Puppet Master-Agent設置（操作系統：Ubuntu）。 兩者都可以互相ping / ssh。 DNS設置正確。 當執行'puppet agent -t'生成證書時，Agent拋出錯誤時，Master可以生成新的CA和證書。

我在解決方案中收到錯誤，並且按照建議執行並進一步收到：

Exiting; failed to retrieve certificate and waitforcert is disabled

請幫助解決這一問題。 以下是/etc/puppet/puppet.conf（與Master-Agent相同）

#Settings in [main] are used if a more specific section does not set a value.
[main]
    certname = puppetmaster01.example.com
    logdir=/var/log/puppet
    vardir=/var/lib/puppet
    basemodulepath = /etc/puppetlabs/puppet/environments/production/modules:/opt/puppet/share/puppet/modules
    ssldir=/var/lib/puppet/ssl
    rundir=/var/run/puppet
    factpath=$vardir/lib/facter
    server = puppetmaster01.example.com
    user = puppet
    group = puppet
    archive_files = true
    archive_file_server = puppetmaster01.example.com

[master]
# This section is used by the Puppet master and Puppet cert applications.
    dns_alt_names = puppet,puppet.example.com,puppetmaster01,puppetmaster01.example.com,puppetagent01,puppetagent01.example.com
    certname = puppetmaster01.example.com
    reports = http,puppetdb
    reporturl = https://localhost:443/reports/upload
    node_terminus = exec
    external_nodes = /etc/puppetlabs/puppet-dashboard/external_node
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY
    storeconfigs_backend = puppetdb
    storeconfigs = true
    autosign = true

# This section is used by the Puppet agent application.
[agent]
    report = true
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    graph = true
    pluginsync = true
    environment = production

Answer 1

在人偶主控/代理部署中以及從文檔中，管理員將需要在人偶主控上簽署客戶端的證書。 你在木偶大師上簽署了證書嗎？

取決於您所使用的木偶版本：嘗試運行sudo puppetserver ca sign fullnameOFhost.something.com或sudo puppet cert sign <name of host>

您可以通過再次運行sudo puppet cert list或sudo puppetserver ca list來查看需要簽名的優秀客戶端證書，具體取決於版本。