因此,我要建立一个新的服务器来替换现有的服务器。应该很容易,对吧?撤销旧证书,创建一个新证书,然后就可以开始了。这是我陷入的循环:
我已删除服务器名称、证书指纹和域。下面显示的服务器是:
- Slave1——将作为的合伙人有问题的那个。下面提到它只是为了证明其中一个细节。
- Slave2——给我带来问题的机器。
- Master1——傀儡大师(显然)
在新建
[root@slave2 ~]# puppet agent -t
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:2F:F1
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean slave2.example.com
On the agent:
rm -f /var/lib/puppet/ssl/certs/slave2.example.com.pem
puppet agent -t
Exiting; failed to retrieve certificate and waitforcert is disabled
好的,这是可以预见的,完全可以预料到,因为这是一台使用旧名称的新服务器。现在在主服务器上:
[root@master1 ~]# puppet cert clean slave2.example.com
Notice: Revoked certificate with serial 154
请注意,没有关于删除密钥文件的任何信息。这是因为它们不在那里。证明:
[root@master1 ~]# ls /var/lib/puppet/ssl/ca/signed/slave1.example.com.pem
/var/lib/puppet/ssl/ca/signed/slave1.example.com.pem
[root@master1 ~]# ls /var/lib/puppet/ssl/ca/signed/slave2.example.com.pem
ls: cannot access /var/lib/puppet/ssl/ca/signed/slave2.example.com.pem: No such file or directory
好的,很好。现在返回到从属服务器,通过删除 .pem 文件并再次运行 puppet 代理来完成该过程:
[root@slave2 ~]# rm -f /var/lib/puppet/ssl/certs/slave2.example.com.pem
[root@slave2 ~]# puppet agent -t
Info: Caching certificate for slave2.example.com
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:2F:F1
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean slave2.example.com
On the agent:
rm -f /var/lib/puppet/ssl/certs/slave2.example.com.pem
puppet agent -t
Exiting; failed to retrieve certificate and waitforcert is disabled
...我们又回到了原点,结果没有任何改变。
最后一次健全性检查:
[root@master1 ~]# puppet cert list -a | grep -i slave2
...并且没有匹配项。
我究竟做错了什么?
附录:
我倾向于相信它存在于 master 上,但不确定具体原因。原因如下:
[root@master1 ~]# puppet cert clean slave2.example.com
Notice: Revoked certificate with serial 154
[root@master1 ~]# puppet cert clean slave2.example.com
Notice: Revoked certificate with serial 154
[root@master1 ~]# puppet cert clean slave2.example.com
Notice: Revoked certificate with serial 154
[root@master1 ~]# puppet cert clean slave2.example.com
Notice: Revoked certificate with serial 154
[root@master1 ~]# puppet cert clean slave2.example.com
Notice: Revoked certificate with serial 154
由于证书不再存在,第一次之后不应该失败吗?
答案1
Redditor 提供了详细的分步说明,似乎已经解决了该问题。关键的三件事是:
- 确保时钟同步(它们已经同步了)
- 确保 Puppet 服务已停止(但尚未停止)
- 使用明确定义的目标来调用傀儡代理,例如
puppet agent -t --server master1.example.com
这些因素的结合帮助我们解决了证书问题。
答案2
puppet ca已被弃用并且可能无法工作,但请尝试:
puppet ca destroy slave2.example.com
/var/lib/puppet/ssl/ca/requests即使puppet cert list -a没有显示任何内容,也要手动检查目录中是否有任何待处理的请求证书。事实上,ls -lRa /var/lib/puppet/ssl/在主服务器上执行并搜索从服务器 2 证书,以确保万无一失。