puppet证书问题
出自http://cnctblog.com/2010/11/460.htmlpuppet的客户端和服务器是通过ssl链接的,在服务器有一个自签名的根证书,在安
装软件的时候自动生成。注意:要在安装软件以前先设置主机名,因为生成证书的时候
要把主机名写入证书,如果证书生成好了再改主机名,就连不上,这是很多初学者遇到
的问题。每个客户端的证书要经过根证书签名才能和服务器连接。所以首先要在客户端
执行下面的命令来请求服务器签名证书。
# puppetd –server server.puppet.com –test
err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key
Exiting; failed to retrieve certificate and waitforcert is disabled
解决方法,把客户端的证书删掉,rm -rf /var/lib/puppet
# puppetd --server server.puppet.com --test
info: Creating a new SSL key for client.puppet.com
warning: peer certificate won’t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
info: Creating a new SSL certificate request for client.puppet.com
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
warning: peer certificate won’t be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
执行上面的命令,客户端将生成证书,并且把证书签名请求发到服务器端。登录到服务
器端,执行下面的命令查看是否有客户端的证书请求:
pupetca --l i s t
如果看到了客户端的证书请求,用下面的命令对所有证书请求签名:
pupetca -s -a
这样,客户端和服务器端就配置好
之后在client上执行:
# puppetd --server server.puppet.com --test
warning: peer certificate won’t be verified in this SSL session
info: Caching certificate for client.puppet.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for client.puppet.com
info: Applying configuration version ’1288776525′
notice: //Node/File/content: defined content as ‘unknown checksum’
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.03 seconds
ok,解决
——–END——-
页:
[1]