木偶在列表中显示证书，但不能'找到'

Question

我在几个测试服务器上设置木偶：bruno是木偶大师，oppenheimer是代理。当我开始在服务器上bruno我得到这样的输出：

bruno$ sudo puppet cert list 
"oppenheimer.home" (SHA256) D4:**:**:**:0B:2A 

bruno$ sudo puppet master --verbose --no-daemonize 
Notice: Starting Puppet master version 3.4.3 

然后我去启动代理上oppenheimer：

oppenheimer$ sudo puppet agent --test --server=bruno 
Exiting; no certificate found and waitforcert is disabled 

当我在bruno过目再次：

Info: access[^/catalog/([^/]+)$]: allowing 'method' find 
Info: access[^/catalog/([^/]+)$]: allowing $1 access 
Info: access[^/node/([^/]+)$]: allowing 'method' find 
Info: access[^/node/([^/]+)$]: allowing $1 access 
Info: access[/certificate_revocation_list/ca]: allowing 'method' find 
Info: access[/certificate_revocation_list/ca]: allowing * access 
Info: access[^/report/([^/]+)$]: allowing 'method' save 
Info: access[^/report/([^/]+)$]: allowing $1 access 
Info: access[/file]: allowing * access 
Info: access[/certificate/ca]: adding authentication any 
Info: access[/certificate/ca]: allowing 'method' find 
Info: access[/certificate/ca]: allowing * access 
Info: access[/certificate/]: adding authentication any 
Info: access[/certificate/]: allowing 'method' find 
Info: access[/certificate/]: allowing * access 
Info: access[/certificate_request]: adding authentication any 
Info: access[/certificate_request]: allowing 'method' find 
Info: access[/certificate_request]: allowing 'method' save 
Info: access[/certificate_request]: allowing * access 
Info: access[/]: adding authentication any 
Info: Inserting default '/status' (auth true) ACL 
Info: Not Found: Could not find certificate oppenheimer.home 
Info: Not Found: Could not find certificate oppenheimer.home 
Info: Not Found: Could not find certificate oppenheimer.home 
Info: Not Found: Could not find certificate oppenheimer.home 
Info: Not Found: Could not find certificate oppenheimer.home 

请注意，服务器bruno确实会在代理之前显示代理oppenheimer的证书启动服务器。那为什么它不能找到证书呢？

这是我在服务器上的配置：

bruno$ cat /etc/hosts 
127.0.0.1  localhost 
127.0.1.1  bruno 
10.0.0.7  bruno 
10.0.0.10  oppenheimer 

bruno$ cat /etc/puppet/puppet.conf 
[main] 
logdir=/var/log/puppet 
vardir=/var/lib/puppet 
ssldir=/var/lib/puppet/ssl 
rundir=/var/run/puppet 
factpath=$vardir/lib/facter 
templatedir=$confdir/templates 
prerun_command=/etc/puppet/etckeeper-commit-pre 
postrun_command=/etc/puppet/etckeeper-commit-post 

certificate_revocation=false 
server=bruno 

[master] 
# These are needed when the puppetmaster is run by passenger 
# and can safely be removed if webrick is used. 
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY 

这里是在代理的配置：

oppenheimer$ cat /etc/hosts 
127.0.0.1  localhost 
127.0.1.1  oppenheimer 
10.0.0.7  bruno 
10.0.0.10  oppenheimer 

oppenheimer$ cat /etc/puppet/puppet.conf 
[main] 
logdir=/var/log/puppet 
vardir=/var/lib/puppet 
ssldir=/var/lib/puppet/ssl 
rundir=/var/run/puppet 
factpath=$vardir/lib/facter 
templatedir=$confdir/templates 
prerun_command=/etc/puppet/etckeeper-commit-pre 
postrun_command=/etc/puppet/etckeeper-commit-post 

certificate_revocation=false 
server=bruno 

[master] 
# These are needed when the puppetmaster is run by passenger 
# and can safely be removed if webrick is used. 
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY 

[agent] 
server=bruno 

两款机器正在运行Ubuntu Linux操作系统与14.04的最新更新。

Answer 1

您必须签署证书。如果证书已经签名，那么它不会显示在puppet cert list的输出中。

# puppet cert sign oppenheimer.home 

然后puppet agent应该成功运行。

希望这会有所帮助。