puppet时遇到的坑

本人菜鸟，部署puppet时遇到了很多错误，网上看了好多前辈的文章后才搞定，现在把常见的错误贴出。

常见问题
问题：[root@puppet ~]# puppetd --test --server puppet
dnsdomainname: Unknown host
dnsdomainname: Unknown host
err: Could not request certificate: Connection refused - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled
解决方法：此错误是没有启动puppetmasterd服务和配置绑定主机名
[root@localhost ~]#vi /etc/hosts
在最后一行添加：
192.168.3.9 puppet
[root@localhost ~]#service puppetmasterd restart --重新启动服务

问题: [root@c1 ~]# puppetd --server puppet --test
err: Could not request certificate: No route to host - connect(2)
Exiting; failed to retrieve certificate and waitforcert is disabled
解决方法: server端没有开启8140 port or close iptables firewall

问题: [root@c1 puppet-2.7.2rc2]# puppetd --test --server puppet
info: Creating a new SSL key for c1.localdomain
err: Could not request certificate: getaddrinfo: Name or service not known
Exiting; failed to retrieve certificate and waitforcert is disabled
解决方法: 客户端没有配置服务器端的域名绑定：
[root@c1 ~]#vi /etc/hosts
在最后一行添加：
192.168.3.9 puppet

问题: [root@t-db2 ~]# puppetd --server puppet.com --test
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
解决方法: 在puppet server执行下列语句：
[root@puppet ~]# puppetca -l --返回下个未签名的证书清单
c1.localdomain
[root@puppet ~]# puppetca -s c1.localdomain --签名证书
notice: Signed certificate request for c1.localmain

证书问题解决:
如果客户机请求证书时出现下面错误：
err:
Could not request certificate: Retrieved certificate does not match
private key; please remove certificate from server and regenerate it
with the current key
Exiting; failed to retrieve certificate and waitforcert is disabled

先到服务器端清除指定客户机的证书
puppetca -c c1.localdomain
然后再到服务器端吊销证书
puppetca -r c1.localdomain

然后在客户机上,mv /var/lib/puppet /tmp
接着在客户机 上请求证书签名
puppetd --test --server puppet
然后在服务器上对客户机的证书做签名
puppetca -s -a
搞定，收工