木偶在列表中顯示證書，但不能'找到'

Question

我在幾個測試服務器上設置木偶：bruno是木偶大師，oppenheimer是代理。當我開始在服務器上bruno我得到這樣的輸出：

bruno$ sudo puppet cert list 
"oppenheimer.home" (SHA256) D4:**:**:**:0B:2A 

bruno$ sudo puppet master --verbose --no-daemonize 
Notice: Starting Puppet master version 3.4.3 

然後我去啓動代理上oppenheimer：

oppenheimer$ sudo puppet agent --test --server=bruno 
Exiting; no certificate found and waitforcert is disabled 

當我在bruno過目再次：

Info: access[^/catalog/([^/]+)$]: allowing 'method' find 
Info: access[^/catalog/([^/]+)$]: allowing $1 access 
Info: access[^/node/([^/]+)$]: allowing 'method' find 
Info: access[^/node/([^/]+)$]: allowing $1 access 
Info: access[/certificate_revocation_list/ca]: allowing 'method' find 
Info: access[/certificate_revocation_list/ca]: allowing * access 
Info: access[^/report/([^/]+)$]: allowing 'method' save 
Info: access[^/report/([^/]+)$]: allowing $1 access 
Info: access[/file]: allowing * access 
Info: access[/certificate/ca]: adding authentication any 
Info: access[/certificate/ca]: allowing 'method' find 
Info: access[/certificate/ca]: allowing * access 
Info: access[/certificate/]: adding authentication any 
Info: access[/certificate/]: allowing 'method' find 
Info: access[/certificate/]: allowing * access 
Info: access[/certificate_request]: adding authentication any 
Info: access[/certificate_request]: allowing 'method' find 
Info: access[/certificate_request]: allowing 'method' save 
Info: access[/certificate_request]: allowing * access 
Info: access[/]: adding authentication any 
Info: Inserting default '/status' (auth true) ACL 
Info: Not Found: Could not find certificate oppenheimer.home 
Info: Not Found: Could not find certificate oppenheimer.home 
Info: Not Found: Could not find certificate oppenheimer.home 
Info: Not Found: Could not find certificate oppenheimer.home 
Info: Not Found: Could not find certificate oppenheimer.home 

請注意，服務器bruno確實會在代理之前顯示代理oppenheimer的證書啓動服務器。那爲什麼它不能找到證書呢？

這是我在服務器上的配置：

bruno$ cat /etc/hosts 
127.0.0.1  localhost 
127.0.1.1  bruno 
10.0.0.7  bruno 
10.0.0.10  oppenheimer 

bruno$ cat /etc/puppet/puppet.conf 
[main] 
logdir=/var/log/puppet 
vardir=/var/lib/puppet 
ssldir=/var/lib/puppet/ssl 
rundir=/var/run/puppet 
factpath=$vardir/lib/facter 
templatedir=$confdir/templates 
prerun_command=/etc/puppet/etckeeper-commit-pre 
postrun_command=/etc/puppet/etckeeper-commit-post 

certificate_revocation=false 
server=bruno 

[master] 
# These are needed when the puppetmaster is run by passenger 
# and can safely be removed if webrick is used. 
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY 

這裏是在代理的配置：

oppenheimer$ cat /etc/hosts 
127.0.0.1  localhost 
127.0.1.1  oppenheimer 
10.0.0.7  bruno 
10.0.0.10  oppenheimer 

oppenheimer$ cat /etc/puppet/puppet.conf 
[main] 
logdir=/var/log/puppet 
vardir=/var/lib/puppet 
ssldir=/var/lib/puppet/ssl 
rundir=/var/run/puppet 
factpath=$vardir/lib/facter 
templatedir=$confdir/templates 
prerun_command=/etc/puppet/etckeeper-commit-pre 
postrun_command=/etc/puppet/etckeeper-commit-post 

certificate_revocation=false 
server=bruno 

[master] 
# These are needed when the puppetmaster is run by passenger 
# and can safely be removed if webrick is used. 
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY 

[agent] 
server=bruno 

兩款機器正在運行Ubuntu Linux操作系統與14.04的最新更新。

Answer 1

您必須簽署證書。如果證書已經簽名，那麼它不會顯示在puppet cert list的輸出中。

# puppet cert sign oppenheimer.home 

然後puppet agent應該成功運行。

希望這會有所幫助。