我必须有 2 个代理节点和一个主配置。证书已正常签署。我在主服务器上运行 list puppet apply site.pp
,一切顺利。但是,没有代理执行 list ,所以我在其中一个上运行:sudo puppet agent -t
输出 Notice: Skipping run of Puppet configuration client; administratively disabled (Reason: 'Disabled by default on new or unconfigured old installations');
Use 'puppet agent --enable' to re-enable.
所以我跑了,sudo puppet agent --enable
然后再一次sudo puppet agent -t --debug
.这是输出Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
Info: Retrieving pluginfacts
Debug: Failed to load library 'msgpack' for feature 'msgpack'
Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
Debug: file_metadata supports formats: pson b64_zlib_yaml yaml raw
Debug: Creating new connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Debug: Starting connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
Debug: Failed to load library 'msgpack' for feature 'msgpack'
Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
Debug: file_metadata supports formats: pson b64_zlib_yaml yaml raw
Debug: Creating new connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Debug: Starting connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://cluster-b665-m.europe-west1-b.c.some_project-182409.internal/pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
Wrapped exception:
...
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
Debug: Finishing transaction 29645260
Debug: Loading external facts from /var/lib/puppet/facts.d
Debug: Failed to load library 'msgpack' for feature 'msgpack'
Debug: Puppet::Network::Format[msgpack]: feature msgpack is missing
Debug: catalog supports formats: pson b64_zlib_yaml yaml dot raw
Debug: Creating new connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Debug: Starting connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Debug: Executing '/etc/puppet/etckeeper-commit-post'
Debug: Creating new connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Debug: Starting connection for https://cluster-b665-m.europe-west1-b.c.some_project-182409.internal:8140
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=cluster-b665-m.c.some_project-182409.internal]
我该如何处理?
最佳答案
这可能有很多事情。它是在监听适当的端口以允许此服务器向您的代理发出 SSL,还是以其他方式(防火墙/iptables/等)阻止它?
这些都只是猜测,但您的代理似乎没有连接到主服务器或 SSL 证书有问题。您可能需要从目录中删除 ssl 并重新签发/重新签名。我首先要确保代理能够连接到事件的主服务器,然后运行“puppet cert list --all”并查看该代理是否有任何问题,或者代理是否有证书完全掌握。
手动删除和重新颁发证书,您可以查看我的答案here
关于ssl - 手动运行后 puppet 代理坏了,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/48631597/