主页 / server / 问题 / 498496
Accepted
user784637
Asked: 2013-04-12 10:04:17 +0800 CST

无法呼号:找不到人偶的证书请求

  • 772

我开始使用以下指南在 ec2 上使用 puppet。

https://help.ubuntu.com/12.04/serverguide/puppet.html

在最后一步,当我尝试从 puppet master 签署 puppet 客户端时,出现以下错误

root@ip-10-248-27-66:/home/ubuntu# puppetca --sign ec2-54-245-56-210.us-west-2.compute.amazonaws.com
err: Could not call sign: Could not find certificate request for ec2-54-245-56-210.us-west-2.compute.amazonaws.com

这是/etc/hosts人偶大师的输出

127.0.0.1 localhost puppetmaster
10.248.34.162 ec2-54-245-56-210.us-west-2.compute.amazonaws.com puppet

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

这是/etc/hosts木偶客户端上的输出

127.0.0.1 localhost
10.248.27.66 ec2-50-112-220-110.us-west-2.compute.amazonaws.com puppetmaster

# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

我遵循了此处的故障排除建议https://serverfault.com/a/388973/85577

楼主跑了吗

root@ip-10-248-27-66:/home/ubuntu# service puppetmaster status
 * master is running

主机名“puppet”或“puppet.abc.com”是否从代理解析?

我将如何检查这个?我是否只是通过 telnet 连接到puppetmaster端口 8140(主机命令无法解决问题,但 telnet 命令可以)?

root@ip-10-248-34-162:/home/ubuntu# host puppetmaster
Host puppetmaster not found: 3(NXDOMAIN)

主服务器上的 TCP 端口 8140 是否可以从代理访问(尝试:telnet puppet 8140)?

root@ip-10-248-34-162:/home/ubuntu# telnet puppetmaster 8140
Trying 10.248.27.66...
Connected to ec2-50-112-220-110.us-west-2.compute.amazonaws.com.
Escape character is '^]'.

代理上的系统日志说什么?

Apr 11 17:57:41 ip-10-248-34-162 puppet-agent[3897]: Could not request certificate: getaddrinfo: Name or service not known

在代理上尝试 puppet agent --test,它将尝试连接到 master 并留在前台以显示输出。

root@ip-10-248-34-162:/home/ubuntu# puppet agent --test
err: Could not request certificate: getaddrinfo: Name or service not known
Exiting; failed to retrieve certificate and waitforcert is disabled

编辑

感谢 dawud,因此/etc/hosts根据此命令输入的条目是正确的

$ getent hosts puppetmaster
10.248.27.66 ec2-50-112-220-110.us-west-2.compute.amazonaws.com puppetmaster

但是当我尝试这个时我得到一个错误

$ puppet agent --test --waitforcert 5
err: Could not request certificate: Connection refused - connect(2)
err: Could not request certificate: Connection refused - connect(2)
amazon-ec2

3 个回答

  1. Best Answer

    检查 puppetmaster 和客户端计算机是否都可以解析 puppetmaster 的 FQDN。为此,您需要将 puppetmaster IP 添加到/etc/hosts两台机器中,然后使用以下命令进行检查:

    $ ping puppetmaster或者 $ getent hosts puppetmaster

    检查您是否可以从客户端计算机访问 puppetmaster

    $ telnet puppetmaster 8140

    如果服务器拒绝连接,请检查端口是否已在 puppetmaster 中打开

    # iptables -L -n -v

    或添加规则以允许传入流量到该端口(这取决于iptables已配置的方式)

    # iptables -A INPUT -p tcp --dport 8140 -m state --state NEW -j ACCEPT

    并从客户端运行

    # puppet agent --test --waitforcert 5

    后来,从人偶大师那里

    # puppet cert list

    将向您显示准备签名的证书,您可以通过比较指纹来检查它属于客户端机器。签字:

    # puppet cert sign $client

    Puppetmaster 将为客户端编译一个目录,您可以按照它在客户端控制台中的应用方式进行操作。

    要在 puppetmaster 上重新生成证书,请停止 ppuppetmaster 并

    # find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete

    当您再次启动 puppetmaster 时,它会为您重新生成证书。

    在客户端,删除 ssldir 的内容就足够了,通常是/var/lib/puppet/ssl,但检查如上,下次你调用

    # puppet agent --test --waitforcert 5

    它将被重新创建。

    最后,检查 puppetmaster 证书的 CN

    # puppet cert list --all

    并将任何名称/ALT 名称与 /etc/hosts 中的条目相匹配。

    • 11

  2. 此处讨论中提到但之前未提及的一件事是答案是有时端口会表现得很奇怪。在我的例子中,尽管在 iptables 中打开了端口 8140,但我收到无法连接的错误。帮助我的是以下命令:

    iptables -F
service service iptables save

    当然,sudo如果上述命令对您的用户失败,请使用。我什至在盒子的配置脚本中添加了以上两个命令,这样如果我停止/重新创建盒子 - iptables 就会被刷新。

    • 1

  3. 我遇到了同样的问题并通过一些不同的调整解决了它。

    同样的错误:

    [root@puppetclient puppet]# puppet agent --server yogesh.puppet.com
--no-daemonize --verbose Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140 Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140 Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140 Error: Could not request certificate: Connection refused - connect(2) for "yogesh.puppet.com" port 8140

    我尝试了所有 Iptables、端口、防火墙、代理重新安装(不是主)。然后我开始查看更多,并在日志文件中发现了一些内容:

    I, [2016-04-27T23:21:55.118997 #1745]  INFO -- : activemq.rb:139:in `on_ssl_connecting' Establishing SSL session with stomp+ssl://[email protected]:61613
E, [2016-04-27T23:21:55.131678 #1745] ERROR -- : activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://[email protected]:61613 failed: SSL_CTX_use_PrivateKey: key values mismatch
I, [2016-04-27T23:21:55.132438 #1745]  INFO -- : activemq.rb:129:in `on_connectfail' TCP Connection to stomp+ssl://[email protected]:61613 failed on attempt 36
I, [2016-04-27T23:22:25.141892 #1745]  INFO -- : activemq.rb:139:in `on_ssl_connecting' Establishing SSL session with stomp+ssl://[email protected]:61613
E, [2016-04-27T23:22:25.144644 #1745] ERROR -- : activemq.rb:149:in `on_ssl_connectfail' SSL session creation with stomp+ssl://[email protected]:61613 failed: SSL_CTX_use_PrivateKey: key values mismatch
I, [2016-04-27T23:22:25.144836 #1745]  INFO -- : activemq.rb:129:in `on_connectfail' TCP Connection to stomp+ssl://[email protected]:61613 failed on attempt 37

    这给了我主服务器上存在证书的指示。我重新创建了主密钥,它对我有用。

    注意:这是我唯一的测试环境,不要直接在生产环境中使用它。

    [root@YogeshRaheja init.d]# puppet cert clean "yogesh.puppet.com"
Notice: Revoked certificate with serial 11
Notice: Removing file Puppet::SSL::Certificate yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/ca/signed/yogesh.puppet.com.pem'
Notice: Removing file Puppet::SSL::Certificate yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/certs/yogesh.puppet.com.pem'
Notice: Removing file Puppet::SSL::CertificateRequest yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/certificate_requests/yogesh.puppet.com.pem'
Notice: Removing file Puppet::SSL::Key yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/private_keys/yogesh.puppet.com.pem'


[root@YogeshRaheja init.d]# puppet cert generate yogesh.puppet.com
Notice: yogesh.puppet.com has a waiting certificate request
Notice: Signed certificate request for yogesh.puppet.com
Notice: Removing file Puppet::SSL::CertificateRequest yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/ca/requests/yogesh.puppet.com.pem'
Notice: Removing file Puppet::SSL::CertificateRequest yogesh.puppet.com at '/etc/puppetlabs/puppet/ssl/certificate_requests/yogesh.puppet.com.pem'


[root@YogeshRaheja init.d]# ./pe-puppetserver start
Starting pe-puppetserver:                                  [  OK  ]
[root@YogeshRaheja init.d]#
[root@YogeshRaheja init.d]#
[root@YogeshRaheja init.d]# netstat -an | grep -i listen
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:631               0.0.0.0:*                   LISTEN
tcp        0      0 0.0.0.0:5432                0.0.0.0:*                   LISTEN
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN
tcp        0      0 :::4433                     :::*                        LISTEN
tcp        0      0 :::8081                     :::*                        LISTEN
tcp        0      0 :::22                       :::*                        LISTEN
tcp        0      0 ::1:631                     :::*                        LISTEN
tcp        0      0 :::5432                     :::*                        LISTEN
tcp        0      0 ::1:25                      :::*                        LISTEN
tcp        0      0 :::42632                    :::*                        LISTEN
tcp        0      0 :::8140                     :::*                        LISTEN
tcp        0      0 :::61613                    :::*                        LISTEN

    它解决了客户端连接问题。

    • 0

相关问题