|
我有两台机器,木偶大师 – 主机名木偶 – 和一个单独的客户端,主机名git.主机上的木偶代理没有问题. git上的代理程序失败并显示’400未发送所需的SSL证书’.首先,puppet master的配置,这是一个瘦/ nginx事件:
puppet:~# ruby -v
ruby 1.9.2p0 (2010-08-18 revision 29036) [i486-linux]
puppet:~# puppet --version
2.7.9
puppet:~# cat /etc/nginx/sites-enabled/default
server {
listen puppet:8140;
ssl on;
ssl_certificate /var/lib/puppet/ssl/certs/puppet.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.pem;
ssl_ciphers ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_verify_client on;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
default_type application/x-raw;
location /production/file_content/ {
rewrite ^/production/file_content/modules/([^/]+)/(.*) /$1/files/$2;
break;
root /etc/puppet/modules/;
}
location / {
proxy_pass http://puppet-production;
}
}
# cat /etc/nginx/conf.d/puppet-production-upstream.conf
upstream puppet-production {
server unix:/var/run/puppet/master.00.sock;
server unix:/var/run/puppet/master.01.sock;
server unix:/var/run/puppet/master.02.sock;
}
puppet:~# cat /etc/supervisor/conf.d/puppetmaster.conf
# This file is autogenerated by Puppet. Manual changes will be overwritten!
[program:puppetmaster]
command=/usr/bin/thin start -e development --socket /var/run/puppet/master.%(process_num)02d.sock --user puppet --group puppet --chdir /etc/puppet -R /etc/puppet/config.ru
process_name=%(program_name)s_%(process_num)02d
numprocs=3
priority=999
autostart=true
autorestart=unexpected
startsecs=3
startretries=3
exitcodes=0,2
stopsignal=TERM
stopwaitsecs=10
redirect_stderr=false
stdout_logfile=/var/log/supervisor/puppetmaster/puppetmaster.out
stdout_logfile_maxbytes=250MB
stdout_logfile_backups=10
stderr_logfile=/var/log/supervisor/puppetmaster/puppetmaster.err
stderr_logfile_maxbytes=250MB
stderr_logfile_backups=10
puppet:~# cat /etc/puppet/puppet.conf
[main]
ssldir=$vardir/ssl
[master]
certname=puppet
应用解决方法here我只能在尝试将git引入puppet master时才能获得git代理:
git:~# puppet agent --waitforcert 30 --test
err: Could not request certificate: Error 400 on SERVER:
这个resource在其模拟SSL连接部分建议从我的git框运行:
openssl s_client -host puppet -port 8140 -cert /var/lib/puppet/ssl/certs/git.troutwine.us.pem -key /var/lib/puppet/ssl/private_keys/git.troutwine.us.pem -CAfile /var/lib/puppet/ssl/certs/ca.pem
这个问题是我缺少/var/lib/puppet/ssl/certs/git.troutwine.us.pem:
git:~# tree /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
├── certificate_requests
├── certs
│ └── ca.pem
├── private
├── private_keys
│ └── git.troutwine.us.pem
└── public_keys
└── git.troutwine.us.pem
普通的老webrick puppetmasterd工作得很好 – 只有nginx / puppet组合才能让我失望.两台机器都运行ntpd并且具有可接受的时间范围.我究竟做错了什么?
#puppet频道中的newl建议修改ssl_verify_client为’optional’,而不是’on’.我已经完成了这一切,现在一切都很好看.
我自己确信这是一件坏事,但是在新的建议之后我不记得为什么.如果有人确实认为这是一个不太理想的配置设置,请告诉我. (编辑:安卓应用网)
【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
|
