问题描述
我在实用程序节点上运行版本6的人偶,当我尝试从人偶代理连接到人偶主服务器时,出现此错误。
[root@utility ~]# puppet agent --test
Warning: Unable to fetch my node deFinition,but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify Failed: [unable to get certificate CRL for /CN=utility.example.com]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify Failed: [unable to get certificate CRL for /CN=utility.example.com]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file Metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify Failed: [unable to get certificate CRL for /CN=utility.example.com]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify Failed: [unable to get certificate CRL for /CN=utility.example.com]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file Metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify Failed: [unable to get certificate CRL for /CN=utility.example.com]
Info: Loading facts
Error: Could not retrieve catalog from Remote Server: SSL_connect returned=1 errno=0 state=error: certificate verify Failed: [unable to get certificate CRL for /CN=utility.example.com]
Warning: Not using cache on Failed catalog
Error: Could not retrieve catalog; skipping run
此外,当我运行puppet cert list --all时,the代理上的证书不会显示在the主机上
Warning: `puppet cert` is deprecated and will be removed in a future release.
(location: /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application.rb:370:in `run')
解决方法
由于代理未发出证书签名请求,因此它必须已经具有签名的证书。但这似乎不是主机识别的证书,因此主机不会接受它。代理也可能不接受主证书。
如果未经授权的节点尝试检索目录,则主服务器拒绝向无法识别的代理提供服务正是期望和想要的。如果将座席的目录请求传递给冒充主服务器的冒名顶替者,则该代理拒绝完成与主服务器的连接正是人们期望和想要的。
但是,如果授权代理有这样的问题,要求它应识别的真正的主服务器请求目录,则您将发生信任失败。例如,如果将代理的原始主服务器替换为新的主服务器,或者将Puppet从主服务器中删除然后重新安装,则可能会发生这种情况。
如果确实该主服务器没有有关代理的证书,那么您应该能够通过关闭代理(如果该代理作为守护程序运行),然后清除其证书以生成一个证书来解决此问题。下一轮新的。 Puppet文档描述了how this can be done(您只需要执行步骤3,“为Puppet代理清除并重新生成证书”,并且仅针对受影响的代理即可。)