我正在运行以下 Puppet 设置:
- 傀儡大师:
CentOS 6.4 x86_64与puppet-server-3.2.1-2.2和openssl-1.0.0-27.el6_4.2.x86_64 - 傀儡代理1:
RedHat AS 4.8 x86与puppet-0.25.6-1.el4和openssl-0.9.7a-43.20.el4 - 傀儡代理2:
RHEL 5.10 x86与puppet-2.6.18-3.el5和openssl-0.9.8e-26.el5_9.1
我注意到我的 RedHat 4 代理无法连接到我的 Puppet 主机,我认为原因是libsslRH4 打包的版本(0.9.7a-43.20在我的情况下)无法管理 Puppet 服务器生成的摘要。
我进行的测试:
- 从非工作的 RedHat 4 代理(带有 OpenSSL v
0.9.7a-43.20.el4):
# openssl s_client -host puppetmaster.test.lan -port 8140 -cert /etc/puppet/ssl/certs/rh4as.test.lan.pem -key /etc/puppet/ssl/private_keys/rh4as.test.lan.pem -CAfile /etc/puppet/ssl/certs/ca.pem
CONNECTED(00000003)
depth=1 /CN=Puppet CA: puppetmaster.test.lan
verify return:1
depth=0 /CN=puppetmaster.test.lan
verify error:num=7:certificate signature failure
verify return:1
depth=0 /CN=puppetmaster.test.lan
verify return:1
---
Certificate chain
0 s:/CN=puppetmaster.test.lan
i:/CN=Puppet CA: puppetmaster.test.lan
1 s:/CN=Puppet CA: puppetmaster.test.lan
i:/CN=Puppet CA: puppetmaster.test.lan
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=puppetmaster.test.lan
issuer=/CN=Puppet CA: puppetmaster.test.lan
---
No client certificate CA names sent
---
SSL handshake has read 3793 bytes and written 2853 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 8B8607495273640FB4BCB80C5C1CE261FED1633CA112C1D216BE187EDEA81F77
Session-ID-ctx:
Master-Key: A2A3AC5B0679C27FFE070D0B3154233EC4D0F17310148AE7B6FF502A7DB95679D33BB097C0ED89AE67AA42E95BD4D952
Key-Arg : None
Krb5 Principal: None
Start Time: 1392216496
Timeout : 300 (sec)
Verify return code: 7 (certificate signature failure)
---
closed
- 从正常运行的 RedHat 5 代理(带有 OpenSSL v
0.9.8e-26.el5_9.1):
# openssl s_client -host puppetmaster.test.lan -port 8140 -cert /etc/puppet/ssl/certs/rhel5.test.lan.pem -key /etc/puppet/ssl/private_keys/rhel5.test.lan.pem -CAfile /etc/puppet/ssl/certs/ca.pem
CONNECTED(00000003)
depth=1 /CN=Puppet CA: puppetmaster.test.lan
verify return:1
depth=0 /CN=puppetmaster.test.lan
verify return:1
---
Certificate chain
0 s:/CN=puppetmaster.test.lan
i:/CN=Puppet CA: puppetmaster.test.lan
1 s:/CN=Puppet CA: puppetmaster.test.lan
i:/CN=Puppet CA: puppetmaster.test.lan
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
subject=/CN=puppetmaster.test.lan
issuer=/CN=Puppet CA: puppetmaster.test.lan
---
No client certificate CA names sent
---
SSL handshake has read 3793 bytes and written 2831 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 7B70B803D8D0FFC65F2696D337EB40CDE41D188F9F1BA1D7FE416DA326B49AFD
Session-ID-ctx:
Master-Key: BE57138CA99AA4AA59769B3E8396E9C25594264E196FB50DB066679EA569311521F1BBBCD25962B780A38D95A3AD9346
Key-Arg : None
Krb5 Principal: None
Start Time: 1392224552
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
- 来自傀儡大师:
# puppet cert --list --all
+ "rh4as.test.lan" (SHA256) 69:BD:D9:B6:31:6B:3E:90:9B:5E:1B:90:FA:24:08:1A:48:31:B1:17:65:DF:93:26:70:29:5A:C3:3E:C8:0F:7E
+ "rhel5.test.lan" (SHA256) 83:58:A9:25:7C:9A:41:C9:A7:7E:45:26:40:EE:D0:05:9A:31:6E:8D:15:CE:57:86:0C:DA:E0:D0:2A:9C:B3:DB
+ "puppetmaster.test.lan" (SHA256) 9C:AC:8E:CA:71:24:2B:BB:61:52:01:4F:F1:DF:BD:B6:25:6C:DA:61:44:E4:1E:71:77:DF:2F:BA:AE:A9:40:FD (alt names: "DNS:puppet", "DNS:puppet.test.lan", "DNS:puppetmaster.test.lan", "DNS:puppetmaster")
附加檢查:
- 我确保所有服务器都与 NTP 服务器正确同步
- 我删除了 RH4AS 代理上的所有本地证书并重新颁发了它们
- 我删除了 Puppet Master 上对 RH4AS 代理的本地引用
- 我在 RH4AS 服务器上从源 Puppet 代理 v2.6.0 安装了,但遇到了同样的问题
我阅读了这些链接:
- http://projects.puppetlabs.com/issues/17295
- https://groups.google.com/forum/#!msg/puppet-dev/_jkdY1Hmq6U/X0gj7NSgK64J
- Puppet 自动生成的证书失败
我意识到我有两个选择:
- 将我的 OpenSSL 版本升级到 +
0.9.8(1.0.0为了安全起见) - 将 Puppet Master 使用的摘要从 降级
SHA256为SHA1(或者甚至可能是MD5)
不幸的是,选项 #1(升级 OpenSSL)不适用于我的环境。所以我想我只能降级 Puppet Master 使用的摘要。但我找不到man puppet.conf可以用于实现此目标的选项。我尝试使用该keylength参数,但无济于事。
如果有人能帮助我解决这个问题,我将不胜感激。
提前感谢大家。
答案1
看起来您遇到了在功能 #21029:允许控制用于创建 CA 证书的摘要。这似乎是一种无法在 puppet 中实现的解决方法,因此您需要使用 OpenSSL 手动创建证书。
答案2
我最终将我的 Puppet Master 版本从 3.x 分支降级到了 2.7.x(正如这篇文章中指出的:https://groups.google.com/forum/#!msg/puppet-dev/_jkdY1Hmq6U/QJ6nHP2ORtYJ)。
但我认为 sciurus 的答案可能是有效的,因为 Puppet 开发人员告诉我,我可以通过设置符合 SHA1 的 CA 来解决这个问题。