由於某些 ssl 錯誤,新伺服器無法從 Puppetmaster 獲取配置
生產環境中的三台機器出現了一些硬體問題,被淘汰了。基礎架構團隊重新安裝了它們,並為它們提供了相同的主機名和 IP 地址。目的是在這些系統上執行 Puppet,以便再次調試這些系統。
試圖
- 通過發出以下命令從 Puppetmaster 中刪除舊的 Puppet 證書:
puppet cert revoke grb16.company.com puppet cert clean grb16.company.com
- 刪除舊證書後,通過從重新安裝的節點之一發出以下命令來創建新證書請求:
[root@grb16 ~]# puppet agent -t Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for grb16.company.com Info: Certificate Request fingerprint (SHA256): 6F:2D:1D:71:67:18:99:86:2C:22:A1:14:80:55:34:35:FD:20:88:1F:36:ED:A7:7B:2A:12:09:4D:F8:EC:BF:6D Exiting; no certificate found and waitforcert is disabled [root@grb16 ~]#
- 一旦證書請求在 Puppetmaster 上可見,就會發出以下命令來簽署證書請求:
[root@foreman ~]# puppet cert sign grb16.company.com Notice: Signed certificate request for grb16.company.com Notice: Removing file Puppet::SSL::CertificateRequest grb16.company.com at '/var/lib/puppet/ssl/ca/requests/grb16.company.com.pem' [root@foreman ~]#
問題
簽署證書請求並啟動 Puppet 執行後,將引發以下錯誤:
[root@grb16 ~]# puppet agent -t Info: Caching certificate for grb16.company.com Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com] Exiting; failed to retrieve certificate and waitforcert is disabled [root@grb16 ~]#
第二次執行 Puppet 會導致:
[root@grb16 ~]# puppet agent -t Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com] Info: Retrieving pluginfacts Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com] Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://foreman.company.com/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com] Wrapped exception: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com] Info: Retrieving plugin Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com] Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://foreman.company.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com] Wrapped exception: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com] Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com] Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com] [root@grb16 ~]#
分析
為了解決這個問題,對錯誤消息進行了調查,看起來問題與 SSL 或 Puppet 相關。可能其中一個軟體包安裝不正確,或者在重新安裝的節點上安裝了錯誤的版本。
木偶
[root@grb16 ~]# yum list installed |grep puppet facter.x86_64 1:2.3.0-1.el6 @puppetlabs_6_products hiera.noarch 1.3.4-1.el6 @puppetlabs_6_products puppet.noarch 3.7.3-1.el6 @puppetlabs_6_products puppetlabs-release.noarch 6-11 @puppetlabs_6_products ruby-augeas.x86_64 0.4.1-3.el6 @puppetlabs_6_deps ruby-shadow.x86_64 1:2.2.0-2.el6 @puppetlabs_6_deps rubygem-json.x86_64 1.5.5-3.el6 @puppetlabs_6_deps
SSL
[root@grb16 ~]# yum list installed |grep ssl nss_compat_ossl.x86_64 0.9.6-1.el6 @anaconda-CentOS-201410241409.x86_64/6.6 openssl.x86_64 1.0.1e-30.el6_6.4 openssl-devel.x86_64 1.0.1e-30.el6_6.4 [root@grb16 ~]#
安裝在不同伺服器上的 SSL 和 Puppet 軟體包之間沒有發現任何差異。尚未退役或重新安裝的系統仍然能夠執行 Puppet。該問題僅限於重新安裝的伺服器。請注意,Puppet 尚未在其他兩個重新安裝的伺服器上執行。是什麼導致了這個問題以及如何解決它?
簡潔的答案
該問題
CRL is not yet valid for
表明Puppet-agent 和 Puppetmaster 之間的時間不同步。同步時間 (NTP)。從 Puppet-agent 和 Puppetmaster 中刪除證書並在代理上執行 Puppet。綜合答案
CRL is not yet valid for
位於以下程式碼段中。以下測試程式碼片段描述了導致問題的原因:
it 'includes the CRL issuer in the verify error message' do crl = OpenSSL::X509::CRL.new crl.issuer = OpenSSL::X509::Name.new([['CN','Puppet CA: puppetmaster.example.com']]) crl.last_update = Time.now + 24 * 60 * 60 ssl_context.stubs(:current_crl).returns(crl) subject.call(false, ssl_context) expect(subject.verify_errors).to eq(["CRL is not yet valid for /CN=Puppet CA: puppetmaster.example.com"]) end
ssl_context
let(:ssl_context) do mock('OpenSSL::X509::StoreContext') end
學科
subject do described_class.new(ssl_configuration, ssl_host) end
該程式碼包括來自OpenSSL::X509::CRL類的片段。
發行人=(p1)
static VALUE ossl_x509crl_set_issuer(VALUE self, VALUE issuer) { X509_CRL *crl; GetX509CRL(self, crl); if (!X509_CRL_set_issuer_name(crl, GetX509NamePtr(issuer))) { /* DUPs name */ ossl_raise(eX509CRLError, NULL); } return issuer; }
上次更新=(p1)
static VALUE ossl_x509crl_set_last_update(VALUE self, VALUE time) { X509_CRL *crl; time_t sec; sec = time_to_time_t(time); GetX509CRL(self, crl); if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) { ossl_raise(eX509CRLError, NULL); } return time; }
last_updated時間將是目前時間加上額外的一天,並將傳遞給呼叫位於default_validator 類中的呼叫函式的主題函式。
class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator attr_reader :peer_certs attr_reader :verify_errors attr_reader :ssl_configuration FIVE_MINUTES_AS_SECONDS = 5 * 60 def initialize( ssl_configuration = Puppet::SSL::Configuration.new( Puppet[:localcacert], { :ca_auth_file => Puppet[:ssl_client_ca_auth] }), ssl_host = Puppet::SSL::Host.localhost) reset! @ssl_configuration = ssl_configuration @ssl_host = ssl_host end def call(preverify_ok, store_context) if preverify_ok ... else ... crl = store_context.current_crl if crl if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS ... else @verify_errors << "#{error_string} for #{crl.issuer}" end ... end end end
如果 preverify_ok 為 false,則 else 子句適用。結果
if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
為假,因為時間已經被額外的一天存根,否則將適用。@verify_errors << "#{error_string} for #{crl.issuer}"
中的結果評估CRL is not yet valid for /CN=Puppet CA: puppetmaster.example.com
。為了解決這個問題:
- 同步 Puppet-agent 和 Puppetmaster 之間的時間。NTP 伺服器是否在兩個節點上都執行(良好)?
- 從代理中刪除或重命名完整的 ssl 文件夾 ( /var/lib/puppet/ssl )。
- 通過發出從主伺服器撤銷證書
sudo puppet cert clean <fqdn-puppet-agent>
- 如果禁用自動簽名,請簽署證書
- 在代理上執行 puppet
總之,Puppet-agents 和 Puppetmaster 上的時間應該一直同步。超過 5 分鐘的最大允許偏差將導致問題。