puppet 之 fqdn vs.hostname 傻傻分不清楚
本次开发我们遇到这样的问题,所以先记录下来本例为openstack allinone环境
/etc/hosts内容如下
10.124.198.219 cat.test.com.cn cat.test.com cat
# hostname
cat.test.com
# hostname -s
cat
# hostname -f
cat.test.com.cn
执行下列命令一直报认证不通过异常
puppet agent --debug --server $HOSTNAME -t >> /var/log/exec_puppet.log 2>&1
异常消息如下:
---
Error: /Filevar/lib/puppet/lib: Could not evaluate: Could not retrieve file metadata for puppet://cat.test.com/plugins: Server hostname 'cat.test.com' did not match server certificate; expected one of cat.test.com.cn, DNS:puppet, DNS:puppet.test.com.cn, DNS:cat.test.com.cn
Wrapped exception:
Server hostname 'cat.test.com' did not match server certificate; expected one of cat.test.com.cn, DNS:puppet, DNS:puppet.test.com.cn, DNS:cat.test.com.cn
Debug: Finishing transaction 69830609537000
---
首先看一下机器的认证信息,才发现证书用的是fqdn
# puppet cert --list -all
+ "cat.test.com.cn" (SHA256) E7:E5:CB:28:8A:C0:C9:D6:B1:63:2B:FA:E4:7B:2B:0C:51:BB:57:A9:FC:05:A4:8B:D2:33:A7:B4:68:E4:12:57 (alt names: "DNS:puppet", "DNS:puppet.test.com.cn", "DNS:cat.test.com.cn")
再回去看代码中我们$HOSTNAME取得的方法「HOSTNAME=hostname -s」
将代码改成「HOSTNAME=hostname -f」就可以成功执行了
上网查了一下有人总结了下列资料,puppet server间的认证是通过fqdn进行设置的
When the master starts for the 1st time, it generates its own CA certificate and private key, initializes the CRL and generates a special certificate which I will call the server certificate. This certificate will be the one used in the SSL/TLS communication as the server certificate that is later sent to the client. This certificate subject will be the current master FQDN.
参考资料
1.puppet说明书 https://docs.puppetlabs.com/puppet/#
2.http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/
页:
[1]