Ошибки в Puppet ssl " SSL_connect возвращено =1 errno=0 состояние =SSLv3 чтение сертификата сервера B: сбой проверки сертификата"
Я пытаюсь настроить puppet master и puppetdb на одном узле, используя модуль puppetdb.
Когда я пытаюсь запустить Puppet Agent -t, я вижу следующее:
notice: Unable to connect to puppetdb server (ip-10-172-161-25.us-west-1.compute.internal:8081): SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
notice: Failed to connect to puppetdb; sleeping 2 seconds before retry
[root@ip-10-172-161-25 modules]# puppet cert --list --all
+ "ip-10-172-161-25.us-west-1.compute.internal" (66:37:02:AB:98:C5:CD:28:1C:D3:68:53:13:CC:A1:E5)
+ "ip-10-196-99-56.us-west-1.compute.internal" (99:C9:7C:A1:1A:FD:3C:27:85:76:C7:5A:6A:D5:F9:79)
+ "puppettest.eng.com" (17:4A:B9:D1:48:F2:82:73:7D:7F:1D:55:E4:A1:A6:A0) (alt names: "DNS:ip-10-172-161-25.us-west-1.compute.internal", "DNS:puppet", "DNS:puppettest.eng.com")
[root@ip-10-172-161-25 modules]# cat /etc/puppet/puppet.conf
[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
server = puppettest.eng.com
[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
[master]
certname=puppettest.eng.com
dns_alt_names = ip-10-172-161-25.us-west-1.compute.internal,puppettest.eng.com,puppet
Puppetdb.conf
[root@ip-10-172-161-25 modules]# cat /etc/puppet/puppetdb.conf
[main]
server = ip-10-172-161-25.us-west-1.compute.internal
#server = puppettest.eng.com
port = 8081
jetty.in
[jetty]
# Hostname or IP address to listen for clear-text HTTP. Default is localhost
# host = <host>
#host = localhost
host = localhost
# Port to listen on for clear-text HTTP.
port = 8080
# The following are SSL specific settings. They can be configured
# automatically with the tool puppetdb-ssl-setup, which is normally
# ran during package installation.
# The host or IP address to listen on for HTTPS connections
#ssl-host = ip-10-172-161-25.us-west-1.compute.internal
ssl-host = ip-10-172-161-25.us-west-1.compute.internal
# The port to listen on for HTTPS connections
ssl-port = 8081
# Private key path
ssl-key = /etc/puppetdb/ssl/private.pem
# Public certificate path
ssl-cert = /etc/puppetdb/ssl/public.pem
# Certificate authority path
ssl-ca-cert = /etc/puppetdb/ssl/ca.pem
certificate-whitelist = /etc/puppetdb/whitelist.txt
whitelist.txt
[root@ip-10-172-161-25 modules]# cat /etc/puppetdb/whitelist.txt
ip-10-172-161-25.us-west-1.compute.internal
puppettest.eng.com
localhost
[root@ip-10-172-161-25 modules]# rpm -qa | grep -i puppet
puppet-server-2.7.22-1.0.amzn1.x86_64
puppetlabs-release-5-7.noarch
puppetdb-terminus-1.4.0-1.el5.noarch
puppet-2.7.22-1.0.amzn1.x86_64
puppetdb-1.4.0-1.el5.noarch
[root@ip-10-172-161-25 modules]# rpm -qa | grep -i ruby
ruby-libs-1.8.7.374-1.0.amzn1.x86_64
ruby-1.8.7.374-1.0.amzn1.x86_64
ruby-augeas-0.4.1-1.3.amzn1.x86_64
[root@ip-10-172-161-25 modules]#
Я устал несколько раз отозвать мастер сертификат и создал новый, не повезло
1 ответ
Решение
Попробовал puppetdb-ssl-setup -f, который позаботился о несоответствии сертификатов.
подробнее см. в https://groups.google.com/forum/
Спасибо Кену за помощь