概括
我不得不重建一个服务器,然后遇到了一个有趣的问题。即使在删除 /var/lib/puppet/ssl 并从主服务器上清除证书后,Puppet 仍拒绝验证证书。
服务器
主控:
操作系统:Ubuntu 14.04
Puppet Master 版本:3.4.3-1(使用 Webrick)
代理:
操作系统:Ubuntu 12.04
Puppet 版本:2.7.11
(请注意,在下面的输出中,我用“agent-server.com”替换了主机名)
复制步骤
删除代理服务器上的 SSL 目录:
rm-fr /var/lib/puppet/ssl
清理 Puppet Master 上的证书:
puppet cert clean agent-server.com
重启 Puppet Master:
/etc/init.d/puppetmaster 重新启动
运行 Puppet 代理:
傀儡代理-t
错误消息:
代理人:
root@agent-server:~# puppet agent -t
info: Creating a new SSL key for agent-server.com
info: Caching certificate for ca
info: Creating a new SSL certificate request for agent-server.com
info: Certificate Request fingerprint (md5): F2:2A:AD:3C:D5:E8:13:82:1D:C5:80:B4:FD:23:C4:86
info: Caching certificate for agent-server.com
info: Caching certificate_revocation_list for ca
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client
木偶大师
[2017-08-29 18:08:51] 10.88.0.208 - - [29/Aug/2017:18:08:51 UTC] "GET /production/certificate/ca? HTTP/1.1" 200 1939
[2017-08-29 18:08:51] - -> /production/certificate/ca?
[2017-08-29 18:08:51] 10.88.0.208 - - [29/Aug/2017:18:08:51 UTC] "GET /production/certificate/agent-server.com? HTTP/1.1" 404 78
[2017-08-29 18:08:51] - -> /production/certificate/agent-server.com?
[2017-08-29 18:08:51] 10.88.0.208 - - [29/Aug/2017:18:08:51 UTC] "GET /production/certificate_request/agent-server.com? HTTP/1.1" 404 86
[2017-08-29 18:08:51] - -> /production/certificate_request/agent-server.com?
[2017-08-29 18:08:51] 10.88.0.208 - - [29/Aug/2017:18:08:51 UTC] "PUT /production/certificate_request/agent-server.com HTTP/1.1" 200 1448
[2017-08-29 18:08:51] - -> /production/certificate_request/agent-server.com
[2017-08-29 18:08:51] 10.88.0.208 - - [29/Aug/2017:18:08:51 UTC] "GET /production/certificate/agent-server.com? HTTP/1.1" 200 1448
[2017-08-29 18:08:51] - -> /production/certificate/agent-server.com?
[2017-08-29 18:08:56] 10.88.0.208 - - [29/Aug/2017:18:08:56 UTC] "GET /production/certificate_revocation_list/ca? HTTP/1.1" 200 11220
[2017-08-29 18:08:56] - -> /production/certificate_revocation_list/ca?
[2017-08-29 18:08:56] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: sslv3 alert certificate revoked
/usr/lib/ruby/vendor_ruby/puppet/network/http/webrick.rb:35:in `accept'
/usr/lib/ruby/vendor_ruby/puppet/network/http/webrick.rb:35:in `block (2 levels) in listen'
/usr/lib/ruby/1.9.1/webrick/server.rb:191:in `call'
/usr/lib/ruby/1.9.1/webrick/server.rb:191:in `block in start_thread'
[2017-08-29 18:08:56] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: sslv3 alert certificate revoked
/usr/lib/ruby/vendor_ruby/puppet/network/http/webrick.rb:35:in `accept'
/usr/lib/ruby/vendor_ruby/puppet/network/http/webrick.rb:35:in `block (2 levels) in listen'
/usr/lib/ruby/1.9.1/webrick/server.rb:191:in `call'
/usr/lib/ruby/1.9.1/webrick/server.rb:191:in `block in start_thread
因此从日志来看,虽然证书是全新的,但证书似乎已被撤销。此外,这不可能是时间问题,因为两台服务器非常接近,仅相隔 2-3 秒。
不幸的是,我有点困惑。如能得到任何帮助,我将不胜感激。
答案1
服务器拒绝您的客户端证书,因为它是由旧服务器 CA 签名的。从客户端主机中删除或移动您的旧客户端证书
sudo mv /var/lib/puppet/ssl /var/lib/puppet/ssl.old
然后从客户端主机再次触发代理。
服务器日志还表明它可能来自主机之间的时间不匹配。确保两个主机具有相同的时间并与 NTP 服务器同步。