无法从Puppet master检索Puppet代理SSL证书

Question

我已经配置了一个Puppet Master-Agent设置(OS: Ubuntu)。两者都可以互相ping/ssh。DNS设置正确。当执行'puppet Agent -t‘来生成证书时，当代理抛出错误时，主服务器能够生成新的CA和证书。

我收到了错误和解决方案，我按照建议执行，并进一步收到：

​

​

Exiting; failed to retrieve certificate and waitforcert is disabled

请帮助我们解决这个问题。下面是/etc/puppet/puppet.conf (在Master-Agent上相同)

#Settings in [main] are used if a more specific section does not set a value.
[main]
    certname = puppetmaster01.example.com
    logdir=/var/log/puppet
    vardir=/var/lib/puppet
    basemodulepath = /etc/puppetlabs/puppet/environments/production/modules:/opt/puppet/share/puppet/modules
    ssldir=/var/lib/puppet/ssl
    rundir=/var/run/puppet
    factpath=$vardir/lib/facter
    server = puppetmaster01.example.com
    user = puppet
    group = puppet
    archive_files = true
    archive_file_server = puppetmaster01.example.com

[master]
# This section is used by the Puppet master and Puppet cert applications.
    dns_alt_names = puppet,puppet.example.com,puppetmaster01,puppetmaster01.example.com,puppetagent01,puppetagent01.example.com
    certname = puppetmaster01.example.com
    reports = http,puppetdb
    reporturl = https://localhost:443/reports/upload
    node_terminus = exec
    external_nodes = /etc/puppetlabs/puppet-dashboard/external_node
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY
    storeconfigs_backend = puppetdb
    storeconfigs = true
    autosign = true

# This section is used by the Puppet agent application.
[agent]
    report = true
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    graph = true
    pluginsync = true
    environment = production

Answer 1

在傀儡主机/代理部署中，管理员需要在傀儡主机上签署客户端证书。你在你的木偶师父的证书上签字了吗？

根据您使用的puppet版本:尝试运行sudo puppetserver ca sign fullnameOFhost.something.com或sudo puppet cert sign <name of host>

您可以通过运行sudo puppet cert list或sudo puppetserver ca list来查看需要签名的未完成的客户端证书，同样取决于版本。