人偶错误:无法从远程服务器检索目录:SSL_connect返回= 1 errno = 0 [英] Puppet error : could not retrieve catalog from remote server: SSL_connect returned=1 errno=0

问题描述

我正在尝试在AWS EC2实例-Linux AMI中设置人偶主控和人偶代理.当我运行我的人偶代理生成证书以供主签名时，遇到以下错误.

I am trying to setup puppet master and puppet agent in aws ec2 instances-linux ami. when i run my puppet agent to generate the certificate for the master to sign i encounter the below error.

木偶大师:

[root@ip-10-**-*-*** /]# sudo yum install puppet-server

[root@ip-10-**-*-*** /] sudo service puppetmaster start
Starting puppetmaster:                                     [  OK  ]

人偶特工:

[root@ip-10-**-*-*** /]# sudo yum install puppet

[root@ip-10-**-*-*** /]
File excerpt /etc/puppet/puppet.conf
[main]
     server = hostname

[root@ip-10-**-*-*** /] sudo service puppet start
Starting puppet:                                           [  OK  ]

[root@ip-10-**-*-*** /]# puppet agent -t
    info: Creating a new SSL key for ip-10-**-*-***.dev.abc.net
    info: Caching certificate for ca
    info: Creating a new SSL certificate request for ip-10-**-*-***.dev.abc.net
    info: Certificate Request fingerprint (md5): C2:F0:B1:2C:19:39:9E:D6:39:24:18:28
    Exiting; no certificate found and waitforcert is disabled

木偶大师:

[root@ip-10-**-*-*** /]# puppet cert list
"ip-10-**-*-***.dev.abc.net" (C2:F0:B1:2C:19:39:9E:D6:39:24:18:28:F6:DA:5D:FE)

[root@ip-10-**-*-*** /]# puppet cert sign ip-10-**-*-***.dev.abc.net
notice: Signed certificate request for ip-10-**-*-***.dev.abc.net
notice: Removing file Puppet::SSL::CertificateRequest ip-10-**-*-***.dev.abc.net at '/var/lib/puppet/ssl/ca/requests/ip-10-**-*-***.dev.abc.net.pem'

人偶特工:

[root@ip-10-**-*-*** /]# puppet agent -t
info: Caching certificate for ip-10-**-*-***.dev.abc.net
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ip-10-**-*-***.dev.abc.net]
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=ip-10-**-*-***.dev.abc.net]

任何人都可以帮助我解决此问题.

Can anyone please help me resolve this issue.

推荐答案

是的，我知道这是一篇旧文章.它仍然需要一个答案，因为我遇到了同样的问题-已经工作了几个星期.我不能保证我的一直在正常工作.这是我已采取的一些步骤.我希望他们对其他人有帮助.
我正在运行Puppet Enterprise 2018.1.4. RHEL 7.4上的Puppet Agent 5.5.6.
1)SSL例程使用时间戳.确保Master&之间的时间相同客户.
2)从主服务器和客户端清除/删除代理证书.在我的RHEL上，客户端证书位于/etc/puppetlabs/puppet/ssl/*中-删除此处具有代理名称的所有文件.
3)确保在您的代理上启用了人偶:人偶代理--enable
4)如果客户端暂时"不与人偶主机联系，则主机将从该主机的节点列表中删除该客户端，但不删除证书.理论上，主节点应该将节点恢复为活动状态.
5)您可以在主控台上运行人偶代理吗?得到预期的结果?如果不是->人偶代码有问题，否则，代理有问题.
6)puppet.conf是否配置正确?
在[main]部分下，您是否具有正确的服务器条目?
您在[agent]下设置了正确的环境吗?将noop设置为true吗?
7)人偶模块中可能有错误，导致代理静默退出.对所有.pp文件运行puppet解析器验证
8)主机可以解析主机和客户端的IP地址吗?
客户端可以解析主机和客户端的IP地址吗?
两个主机上的resolv.conf是否设置正确?
9)客户端的主机名主人应该是正确的.每个服务器都应该知道它的简称，FQDN和IP.在RHEL上，我运行:hostname;主机名-f;和主机名-i.
10)所有目录上的文件权限&模块应该正确.检出工作模块，查看其所有者，组&权限.确保您的模块相同.
11)只有root/admin才能正确运行puppet代理.
12)在RHEL上，日志位于/var/log/puppet下.您在那里看到任何错误吗?
13)除了-t以外，还使用--debug或--trace选项运行人偶代理.将输出通过管道传输到文件，看看是否可以发现任何错误.
14)您可以强制主服务器在客户端上成功运行人偶代理吗?
其中许多事情使我的工作范围缩小了.我还不知道它是否固定，因为节点退出需要一段时间.希望这些可以解决您的问题.

Yes, I know this is an old post. It still needs an answer, as I am having the same issue -- been working it for a few weeks now. I cannot guarantee yet that mine is working correctly all the time. Here are some steps I have taken. I hope they are helpful to others.
I am running Puppet Enterprise 2018.1.4. Puppet Agent 5.5.6 on RHEL 7.4.
1) The SSL routine uses a time stamp. Ensure the time is the same between Master & Client.
2) clean/remove the agent cert from the Master AND the Client. On my RHEL, the Client cert is is in /etc/puppetlabs/puppet/ssl/* -- remove any files with the agent name in here.
3) Make sure your puppet enabled on your agent: puppet agent --enable
4) If a client does not contact the puppet master "for a while" the master will drop the client from it's node list, but NOT remove the cert. In theory, the master SHOULD return the node to an active status.
5) Can you run the puppet agent on the master & get the expected results? If not -> problem with puppet code, otherwise, problem with agent.
6) Is puppet.conf configured correctly?
Under the [main] section, do you have the server entry correct?
Under [agent] are you set to the correct environment? Is noop set to true?
7) It is possible that you have an error in a puppet module that is causeing the agent to exit quietly. Run puppet parser validate on all of your .pp files
8) Can the master resolve the IP address of the master and the client?
Can the client resolve the the IP address of the master and the client?
Is resolv.conf set correctly on both hosts?
9) hostnames of the client & master should be correct. Each server should know it's shortname, FQDN and IP. On RHEL, I run: hostname; hostname -f; and hostname -i, respectively.
10) File permissions on all the directories & modules should be correct. Check out a working module, see it's owner, group & permissions. Ensure your module is the same.
11) Only root/admin can correctly run puppet agent.
12) On RHEL, the logs are under /var/log/puppet. Do you see any errors there?
13) run puppet agent with the --debug or the --trace option in addition to -t. Pipe this output to a file and see if you can spot any errors.
14) Can you force the master to run the puppet agent on the client successfully?
Many of these things have been narrowing down my issue. I don't know yet if it is fixed, as It takes a while for a node to drop out. Hopefully these will fix your issue.

这篇关于人偶错误:无法从远程服务器检索目录:SSL_connect返回= 1 errno = 0的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！