我已经安装了 Puppet 服务器和代理,并sudo /opt/puppetlabs/bin/puppetserver ca sign --certname mywindowshost在服务器上接受初始代理请求。
我可以看到证书放在下面,并且存在于服务器根 CA 和代理的证书:
C:\Windows\system32>puppet agent --configprint localcacert
C:/ProgramData/PuppetLabs/puppet/etc/ssl/certs/ca.pem
但是,在代理上运行下面的代码进行测试时我得到以下结果:
C:\Windows\system32>puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Info: Retrieving pluginfacts
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Info: Retrieving plugin
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
https://puppet.mydomain.com:8140/puppet-ca/v1/certificate/ca如果我在代理机器的 Web 浏览器中浏览并显示 CA 证书,我就能看到该证书。
在客户端上C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf显示如下:
[main]
server=puppet.mydomain.com
autoflush=true
manage_internal_file_permissions=false
在服务器上/etc/puppetlabs/puppet/puppet.conf显示如下:
[master]
dns_alt_names = puppet.mydomain.com,puppet-svr1
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
[main]
certname = puppet.mydomain.com
server = puppet.mydomain.com
environment = production
runinterval = 15m
在服务器上可以看到生成的证书:
admin@puppet-svr1:/etc/puppetlabs/puppet$ sudo /opt/puppetlabs/bin/puppetserver ca list --all
Signed Certificates:
home (SHA256) 5E:2D:70:03:B1:A4:81:50:ED:A7:10:88:FD:8E:D0:A6:85:0D:27:D9:A0:65:86:2D:D5:C6:08:B3:C9:4D:37:90
puppet.mydomain.com (SHA256) 4A:14:F1:FB:5D:23:AC:D9:D8:A3:EA:D7:F0:68:B2:7D:9C:46:4D:77:68:F7:E9:5A:3B:61:07:24:3F:20:6B:B3 alt names: ["DNS:puppet.mydomain.com", "DNS:puppet-svr1", "DNS:puppet.mydomain.com"]
所有 DNS 都在解析,包括从服务器本身(到其自身的 IP 地址)和从代理。
代理和服务器之间的时间匹配并同步。
我也按照 CA 重置程序操作,但得到了完全相同的错误https://puppet.com/docs/puppet/6.4/ssl_regenerate_certificates.html。
我注意到给出的证书https://puppet.mydomain.com:8140/puppet-ca/v1/certificate/ca包含两个证书(一个堆叠在另一个之上),而放置在代理目录中的证书C:/ProgramData/PuppetLabs/puppet/etc/ssl/certs/ca.pem仅包含其中一个证书(在之间-----BEGIN CERTIFICATE---- and -----END CERTIFICATE-----,最顶层)。
更新发现的潜在问题 - 我现在已certificate_revocation = false使用完整链证书运行它https://puppet.mydomain.com:8140/puppet-ca/v1/certificate/ca
我相信我已经找到了问题,测试代理发布的自动下载的CA(只有一个CA)我得到了以下结果:
C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>openssl verify -CAfile ca.pem home-hv1.pem
home-hv1.pem: CN = Puppet CA: puppet.mydomain.com
error 2 at 1 depth lookup:unable to get issuer certificate
然后我将chain.ca(包含两个证书)替换为 ca.pem 并重新运行:
C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>openssl verify -CAfile ca.pem home-hv1.pem
home-hv1.pem: OK
然而,在运行测试时,它会抱怨没有 CRL(事实上我无法看到生成的证书中提到的 CRL URL):
C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=Puppet CA: puppet.mydomain.com]
将代理上的 puppet.conf 更新为:
[main]
server=puppet.mydomain.com
autoflush=true
manage_internal_file_permissions=false
certificate_revocation = false
然后重新启动服务即可运行:
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for home-hv1
Info: Applying configuration version '1559933691'
如果没有 CRL,我就无法顺利运行,但是为什么一开始就没有提供 CRL 呢?
我是否遗漏了任何步骤或者做错了什么,或者这是一个错误?
还有什么想法需要检查,才能让它正常工作而无需开箱即用?
答案1
我认为在某些版本的 puppetserver 中(或者可能是在使用来puppetserver ca setup初始化 CA 时),你的 CA 会在链中使用中间证书创建,但是当客户端证书被签名时,/etc/puppetlabs/puppet/ssl/certs/ca.pem客户端上没有该中间证书,所以你会收到如下错误:
错误:/File[/opt/puppetlabs/puppet/cache/facts.d]:无法评估:无法检索 puppet:///pluginfacts 的文件元数据:SSL_connect returned=1 errno=0 state=error:证书验证失败:[无法获取 /CN=Puppet CA 的颁发者证书:puppet.example.com]
错误:无法发送报告:SSL_connect 返回 = 1 errno = 0 state = error:证书验证失败:[无法获取 /CN = Puppet CA 的颁发者证书:puppet.example.com]
或者即使在一切开始运作之后,证书吊销列表仍然失败:
错误:无法请求证书:请求https://puppet.example.com:8140//puppet-ca/v1/certificate/k8s-3813-kam1失败:SSL_connect 返回 = 1 errno = 0 状态 = 错误:证书验证失败:[无法获取 /CN = Puppet CA 的证书 CRL:puppet.example.com]
一个简单的修复方法是下载完整的公共 CA 密钥并在客户端上覆盖错误的链。假设 puppet.example.com 是你的主服务器:
sudo wget --no-check-certificate https://puppet.example.com:8140/puppet-ca/v1/certificate/ca -O /etc/puppetlabs/puppet/ssl/certs/ca.pem
sudo puppet agent --test --certificate_revocation=false
# or you can add the following to your /etc/puppetlabs/puppet/puppet.conf
[main]
certificate_revocation = false