PuppetDB:连接被拒绝

Question

我想让PuppetDB在我的木偶主机上运行。问题是，在执行代理运行时，我总是收到以下消息：

err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for handsoff.dc0.testing.de to PuppetDB at handsoff:8081: Connection refused - connect(2)

傀儡主人、傀儡数据库和数据库都运行在同一个主机"handsoff“上。

这是我的/etc/puppet/puppetdb.conf

[main]
server = handsoff
port = 8081

我的/etc/puppetdb/jetty.ini

[jetty]
# Hostname or IP address to listen for clear-text HTTP.  Default is localhost
# host = <host>

# Port to listen on for clear-text HTTP.
port = 8080


# The following are SSL specific settings. They can be configured
# automatically with the tool `puppetdb ssl-setup`, which is normally
# ran during package installation.

# The host or IP address to listen on for HTTPS connections
ssl-host = localhost

# The port to listen on for HTTPS connections
ssl-port = 8081

# Private key path
ssl-key = /etc/puppetdb/ssl/private.pem

# Public certificate path
ssl-cert = /etc/puppetdb/ssl/public.pem

# Certificate authority path
ssl-ca-cert = /etc/puppetdb/ssl/ca.pem

certificate-whitelist = /etc/puppetdb/ssl-whitelist

以及ssl白名单文件：

localhost
handsoff
handsoff.dc0.testing.de

lsof向我展示了监听端口

# lsof -i -P | grep puppetdb | grep 80
java     2549      puppetdb   20u  IPv6   4982      0t0  TCP localhost:8080 (LISTEN)
java     2549      puppetdb   34u  IPv6   9353      0t0  TCP localhost:8081 (LISTEN)

在我的/etc/主机中，我有以下几行

127.0.0.1   localhost
127.0.1.1   handsoff handsoff.dc0.testing.de

因此，在我看来，木偶应该能够通过本地主机和handsoff连接到端口8081上的puppetdb。(我对两者进行了测试，结果都相同)

有什么想法吗?这个设置可能有什么问题？

编辑:我还尝试在我的puppetdb.conf中设置它：

[main]
server = localhost
port = 8081

但我得到了err: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for handsoff.dc0.testing.de to PuppetDB at localhost:8081: hostname does not match the server certificate

我使用的是自签名证书(在我使用apt-get完成安装之后，没有对此进行任何更改)。我的猜测是，白名单将允许我这样使用证书。这样做不对吗？

Answer 1

确保hostname -f给出了完整的限定名(如果没有，更新/etc/hostname和更新sysctl kernel.hostname={your hostname})。

检查您当前的证书：

echo | openssl s_client -connect <puppetdb fqdn>:8081 | openssl x509 -noout -dates

关于PuppetDB (4.2)的最新版本：

1. 停止puppetDB service puppetdb stop
2. 删除旧证书：rm -rf /etc/puppetlabs/puppetdb/ssl/
3. 生成新的证书，傀儡DB附带了一个方便的工具：puppetdb ssl-setup
4. 如果您使用SSL连接到DB，您可能需要更新keystore: keytool -import -alias "My“-file /etc/puppetlabs/puppetdb/ssl/ca.pem -keystore /etc/puppetlabs/puppetdb/ssl/信任存储.etc
5. 启动puppetDB service puppetdb start