我为我的 puppetmaster 创建了一个 A 记录。如果这个 ip 地址上的 puppetmaster 出现故障,我必须从新的 ip 地址生成一个新的,我可以将与 A 记录中的主机名关联的 ip 地址更改为新框的地址。
我希望我的所有 puppetclients 都能够仅通过 A 记录中的主机名连接到新的 puppetmaster。
$ dig puppetmaster.mywebsite.com
;; ANSWER SECTION:
puppetmaster.mywebsite.com. 300 IN A 1.2.3.4
我的客户有主机名puppetclient-01,我的主人有主机名puppetmaster
在我的 puppet 客户端上,我没有将主机名解析为puppetmaster特定 IP 的条目,/etc/hosts因为如果puppetmaster出现故障并且我必须从新 ip 启动新的 puppet master,我想避免更改/etc/hosts客户端中的所有文件。
在我对默认值所做的唯一更改中,添加了/etc/puppet/puppet.conf这个puppetclient-01
[agent]
server = puppetmaster.mywebsite.com
在puppetclient-01我运行这个
root@puppetclient-01:~# puppet agent --test
info: Creating a new SSL key for puppetclient-01
info: Caching certificate for ca
info: Creating a new SSL certificate request for puppetclient-01
info: Certificate Request fingerprint (md5): 12:34:56:78:CB:81:62:2E:5F:AB:40:54:D0:A1:37:95
Exiting; no certificate found and waitforcert is disabled
然后puppetmaster我运行这个
oot@puppetmaster:~# puppetca --sign puppetclient-01
notice: Signed certificate request for puppetclient-01
notice: Removing file Puppet::SSL::CertificateRequest puppetclient-01 at '/var/lib/puppet/ssl/ca/requests/puppetclient-01.pem'
然后puppetclient-01当我尝试木偶奔跑时
root@puppetclient-01:~# puppet agent --test
info: Caching certificate for puppetclient-01
err: Could not retrieve catalog from remote server: Server hostname 'puppetmaster.mywebsite.com' did not match server certificate; expected puppetmaster
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: Server hostname 'puppetmaster.mywebsite.com' did not match server certificate; expected puppetmaster
为什么我会收到错误消息Server hostname 'puppetmaster.mywebsite.com' did not match server certificate; expected puppetmaster?
我需要在etc/puppet/puppet.conf客户端或主机上更改任何指令以使其正常工作吗?
看起来您在生成主证书时没有使用 FQDN。以下http://docs.puppetlabs.com/guides/troubleshooting.html:如果
sudo puppet master --configprint certname在主上产生puppetmaster而不是puppetmaster.mywebsite.com你需要: