#puppet cert --sign client.example.com 签发证书
(3)客户端执行,取回通过审批的证书
puppetd -t --server server.example.com 证书申请成功后,它们之间就建立信任关系,它们的证书有相同的MD5的值:
[root@server ~]# md5sum /etc/puppet/ssl/ca/signed/client.example.com.pem
cabbc4b1bd582599c12025246ff3db8e /etc/puppet/ssl/ca/signed/client.example.com.pem
[root@client ~]# md5sum /var/lib/puppet/ssl/certs/client.example.com.pem
cabbc4b1bd582599c12025246ff3db8e /var/lib/puppet/ssl/certs/client.example.com.pem
8.启动客户端服务
#/etc/init.d/puppet start 安装puppet过程中出现的一些错误以及解决方法
连接服务器端出现以下错误
1.
err: Could not retrieve catalog from remote server: certificate verify failed
warning: Not using cache on failed catalog
解决办法:客户端和服务器端时间不同步,SSL连接需要依赖主机上的时间是否正确。执行更新时间的命令:/sbin/ntpdate asia.pool.ntp.org
rm -rf /var/lib/puppet/ssl/*
/sbin/ntpdate asia.pool.ntp.org
puppetd -t --server server.example.com
2.
dnsdomainname: Unknown host
解决办法:检查机器主机名的设置,以及是否添加进hosts。
3.
err: Could not request certificate: getaddrinfo: Name or service not known
解决办法:服务器端没有配置hosts域名绑定,在hosts中添加。
4.
warning: peer certificate won't be verified in this SSL session
解决办法:服务端还没有返回签发证书,使用puppet cert --list查看
5.
info: Creating a new SSL key for client.puppet
err: Could not request certificate: No route to host - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled
解决办法:关闭清除iptables规则,还有关闭SElinux
6.
err: Could not call puppetca.getcert: #<Errno::ENETENREACH: Network is
unreachable --connect(2)>
err: Could not request certificate: Certificate retrieval failed:
Network is unreachable --connect(2)
解决办法,配置主机信息和安装puppet按照正确的顺序
先配置主机信息,保证可以双方ping XXXXXX(主机名)可以联通
然后配置服务器端的puppetmster,最后配置客户端的puppet
7.
执行:service puppetmaster start
Permission denied - /var/lib/puppet/run/master.pid (Errno::EACCES)
解决方法:
chown -R puppet /var/lib/puppet/