生产环境中的三台机器出现一些硬件问题,已停用。基础设施团队已重新安装它们,并赋予它们相同的主机名和 IP 地址。目标是在这些系统上运行 Puppet,以便它们可以再次投入使用。
试图
1) 通过发出以下命令从 Puppetmaster 中删除旧的 Puppet 证书:
puppet cert revoke grb16.company.com
puppet cert clean grb16.company.com
2)删除旧证书后,通过从重新安装的节点之一发出以下命令来创建新的证书请求:
[root@grb16 ~]# puppet agent -t
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for grb16.company.com
Info: Certificate Request fingerprint (SHA256): 6F:2D:1D:71:67:18:99:86:2C:22:A1:14:80:55:34:35:FD:20:88:1F:36:ED:A7:7B:2A:12:09:4D:F8:EC:BF:6D
Exiting; no certificate found and waitforcert is disabled
[root@grb16 ~]#
3)一旦证书请求在 Puppetmaster 上可见,就会发出以下命令来签署证书请求:
[root@foreman ~]# puppet cert sign grb16.company.com
Notice: Signed certificate request for grb16.company.com
Notice: Removing file Puppet::SSL::CertificateRequest grb16.company.com at '/var/lib/puppet/ssl/ca/requests/grb16.company.com.pem'
[root@foreman ~]#
问题
一旦证书请求被签名并且 Puppet 运行已启动,就会引发以下错误:
[root@grb16 ~]# puppet agent -t
Info: Caching certificate for grb16.company.com
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Exiting; failed to retrieve certificate and waitforcert is disabled
[root@grb16 ~]#
第二次运行 Puppet 的结果是:
[root@grb16 ~]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://foreman.company.com/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://foreman.company.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
[root@grb16 ~]#
分析
为了解决这个问题,我们调查了错误消息,发现问题似乎与 SSL 或 Puppet 有关。也许其中一个软件包安装不正确,或者在重新安装的节点上安装了错误的版本。
木偶
[root@grb16 ~]# yum list installed |grep puppet
facter.x86_64 1:2.3.0-1.el6 @puppetlabs_6_products
hiera.noarch 1.3.4-1.el6 @puppetlabs_6_products
puppet.noarch 3.7.3-1.el6 @puppetlabs_6_products
puppetlabs-release.noarch
6-11 @puppetlabs_6_products
ruby-augeas.x86_64 0.4.1-3.el6 @puppetlabs_6_deps
ruby-shadow.x86_64 1:2.2.0-2.el6 @puppetlabs_6_deps
rubygem-json.x86_64 1.5.5-3.el6 @puppetlabs_6_deps
SSL
[root@grb16 ~]# yum list installed |grep ssl
nss_compat_ossl.x86_64 0.9.6-1.el6 @anaconda-CentOS-201410241409.x86_64/6.6
openssl.x86_64 1.0.1e-30.el6_6.4
openssl-devel.x86_64 1.0.1e-30.el6_6.4
[root@grb16 ~]#
各个服务器上安装的 SSL 和 Puppet 软件包之间没有发现任何差异。未停用或重新安装的系统仍能运行 Puppet。问题仅限于重新安装的服务器。请注意,其他两台重新安装的服务器上没有运行 Puppet。是什么导致了这个问题以及如何解决?
答案1
简洁的答案
该问题CRL is not yet valid for
表明Puppet-agent 和 Puppetmaster 之间的时间不同步. 同步时间(NTP)。从 Puppet-agent 和 Puppetmaster 中删除证书,然后在代理上运行 Puppet。
全面解答
CRL is not yet valid for
位于以下代码片段中。
这以下测试代码片段描述导致问题的原因:
it 'includes the CRL issuer in the verify error message' do
crl = OpenSSL::X509::CRL.new
crl.issuer = OpenSSL::X509::Name.new([['CN','Puppet CA: puppetmaster.example.com']])
crl.last_update = Time.now + 24 * 60 * 60
ssl_context.stubs(:current_crl).returns(crl)
subject.call(false, ssl_context)
expect(subject.verify_errors).to eq(["CRL is not yet valid for /CN=Puppet CA: puppetmaster.example.com"])
end
ssl_上下文
let(:ssl_context) do
mock('OpenSSL::X509::StoreContext')
end
主题
subject do
described_class.new(ssl_configuration,
ssl_host)
end
代码包含来自OpenSSL::X509::CRL班级。
发行人=(p1)
static VALUE
ossl_x509crl_set_issuer(VALUE self, VALUE issuer)
{
X509_CRL *crl;
GetX509CRL(self, crl);
if (!X509_CRL_set_issuer_name(crl, GetX509NamePtr(issuer))) { /* DUPs name */
ossl_raise(eX509CRLError, NULL);
}
return issuer;
}
上次更新=(p1)
static VALUE
ossl_x509crl_set_last_update(VALUE self, VALUE time)
{
X509_CRL *crl;
time_t sec;
sec = time_to_time_t(time);
GetX509CRL(self, crl);
if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) {
ossl_raise(eX509CRLError, NULL);
}
return time;
}
这最近更新时间时间将是当前时间加上额外的一天,并将传递给调用呼叫功能位于default_validator 类。
class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
attr_reader :peer_certs
attr_reader :verify_errors
attr_reader :ssl_configuration
FIVE_MINUTES_AS_SECONDS = 5 * 60
def initialize(
ssl_configuration = Puppet::SSL::Configuration.new(
Puppet[:localcacert], {
:ca_auth_file => Puppet[:ssl_client_ca_auth]
}),
ssl_host = Puppet::SSL::Host.localhost)
reset!
@ssl_configuration = ssl_configuration
@ssl_host = ssl_host
end
def call(preverify_ok, store_context)
if preverify_ok
...
else
...
crl = store_context.current_crl
if crl
if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
...
else
@verify_errors << "#{error_string} for #{crl.issuer}"
end
...
end
end
end
如果 preverify_ok 为 false,则 else 子句适用。if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
结果为 false,因为时间已用额外的一天填充,因此 else 语句将适用。评估@verify_errors << "#{error_string} for #{crl.issuer}"
结果为CRL is not yet valid for /CN=Puppet CA: puppetmaster.example.com
。
为了解决这个问题:
- 同步 Puppet-agent 和 Puppetmaster 之间的时间。NTP 服务器在两个节点上是否运行良好?
- 删除或重命名完整的 ssl 文件夹(/var/lib/puppet/ssl) 来自代理人。
- 通过发出以下命令撤销主服务器的证书
sudo puppet cert clean <fqdn-puppet-agent>
- 如果自动签名被禁用,则签署证书
- 在代理上运行 puppet
综上所述,Puppet-agents 和 Puppetmaster 的时间应该始终保持同步。超过允许的最大偏差 5 分钟将导致此问题。
答案2
遇到了同样的问题。
我们的 Puppet 设置使用 GitHub 进行版本控制,因此每次我们配置新的 Puppetmaster 时,都会遇到证书问题。通常可以正常puppet ca --clean --all
工作,但我们发现以下方法更可靠:
rm -rf $(puppet master --configprint ssldir)