Ssl

由於某些 ssl 錯誤,新伺服器無法從 Puppetmaster 獲取配置

  • May 8, 2018

生產環境中的三台機器出現了一些硬體問題,被淘汰了。基礎架構團隊重新安裝了它們,並為它們提供了相同的主機名和 IP 地址。目的是在這些系統上執行 Puppet,以便再次調試這些系統。


試圖

  1. 通過發出以下命令從 Puppetmaster 中刪除舊的 Puppet 證書:
puppet cert revoke grb16.company.com
puppet cert clean grb16.company.com
  1. 刪除舊證書後,通過從重新安裝的節點之一發出以下命令來創建新證書請求:
[root@grb16 ~]# puppet agent -t
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for grb16.company.com
Info: Certificate Request fingerprint (SHA256): 6F:2D:1D:71:67:18:99:86:2C:22:A1:14:80:55:34:35:FD:20:88:1F:36:ED:A7:7B:2A:12:09:4D:F8:EC:BF:6D
Exiting; no certificate found and waitforcert is disabled
[root@grb16 ~]#
  1. 一旦證書請求在 Puppetmaster 上可見,就會發出以下命令來簽署證書請求:
[root@foreman ~]# puppet cert sign grb16.company.com
Notice: Signed certificate request for grb16.company.com
Notice: Removing file Puppet::SSL::CertificateRequest grb16.company.com at '/var/lib/puppet/ssl/ca/requests/grb16.company.com.pem'
[root@foreman ~]# 

問題

簽署證書請求並啟動 Puppet 執行後,將引發以下錯誤:

[root@grb16 ~]# puppet agent -t
Info: Caching certificate for grb16.company.com
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Exiting; failed to retrieve certificate and waitforcert is disabled
[root@grb16 ~]# 

第二次執行 Puppet 會導致:

[root@grb16 ~]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://foreman.company.com/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://foreman.company.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
[root@grb16 ~]# 

分析

為了解決這個問題,對錯誤消息進行了調查,看起來問題與 SSL 或 Puppet 相關。可能其中一個軟體包安裝不正確,或者在重新安裝的節點上安裝了錯誤的版本。

木偶

[root@grb16 ~]# yum list installed |grep puppet
facter.x86_64          1:2.3.0-1.el6    @puppetlabs_6_products                  
hiera.noarch           1.3.4-1.el6      @puppetlabs_6_products                  
puppet.noarch          3.7.3-1.el6      @puppetlabs_6_products                  
puppetlabs-release.noarch
                      6-11             @puppetlabs_6_products                  
ruby-augeas.x86_64     0.4.1-3.el6      @puppetlabs_6_deps                      
ruby-shadow.x86_64     1:2.2.0-2.el6    @puppetlabs_6_deps                      
rubygem-json.x86_64    1.5.5-3.el6      @puppetlabs_6_deps  

SSL

[root@grb16 ~]# yum list installed |grep ssl
nss_compat_ossl.x86_64 0.9.6-1.el6      @anaconda-CentOS-201410241409.x86_64/6.6
openssl.x86_64         1.0.1e-30.el6_6.4
openssl-devel.x86_64   1.0.1e-30.el6_6.4
[root@grb16 ~]# 

安裝在不同伺服器上的 SSL 和 Puppet 軟體包之間沒有發現任何差異。尚未退役或重新安裝的系統仍然能夠執行 Puppet。該問題僅限於重新安裝的伺服器。請注意,Puppet 尚未在其他兩個重新安裝的伺服器上執行。是什麼導致了這個問題以及如何解決它?

簡潔的答案

該問題CRL is not yet valid for表明Puppet-agent 和 Puppetmaster 之間的時間不同步。同步時間 (NTP)。從 Puppet-agent 和 Puppetmaster 中刪除證書並在代理上執行 Puppet。


綜合答案

CRL is not yet valid for位於以下程式碼段中。

以下測試程式碼片段描述了導致問題的原因:

it 'includes the CRL issuer in the verify error message' do
 crl = OpenSSL::X509::CRL.new
 crl.issuer = OpenSSL::X509::Name.new([['CN','Puppet CA: puppetmaster.example.com']])
 crl.last_update = Time.now + 24 * 60 * 60
 ssl_context.stubs(:current_crl).returns(crl)

 subject.call(false, ssl_context)
 expect(subject.verify_errors).to eq(["CRL is not yet valid for /CN=Puppet CA: puppetmaster.example.com"])
end

ssl_context

let(:ssl_context) do
 mock('OpenSSL::X509::StoreContext')
end

學科

subject do
 described_class.new(ssl_configuration,
 ssl_host)
end

該程式碼包括來自OpenSSL::X509::CRL類的片段。

發行人=(p1)

              static VALUE
ossl_x509crl_set_issuer(VALUE self, VALUE issuer)
{
   X509_CRL *crl;

   GetX509CRL(self, crl);

   if (!X509_CRL_set_issuer_name(crl, GetX509NamePtr(issuer))) { /* DUPs name */
       ossl_raise(eX509CRLError, NULL);
   }
   return issuer;
}

上次更新=(p1)

              static VALUE
ossl_x509crl_set_last_update(VALUE self, VALUE time)
{
   X509_CRL *crl;
   time_t sec;

   sec = time_to_time_t(time);
   GetX509CRL(self, crl);
   if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) {
       ossl_raise(eX509CRLError, NULL);
   }

   return time;
}

last_updated時間將是目前時間加上額外的一天,並將傳遞給呼叫位於default_validator 類中的呼叫函式的主題函式。

class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
 attr_reader :peer_certs
 attr_reader :verify_errors
 attr_reader :ssl_configuration

 FIVE_MINUTES_AS_SECONDS = 5 * 60

 def initialize(
   ssl_configuration = Puppet::SSL::Configuration.new(
   Puppet[:localcacert], {
     :ca_auth_file => Puppet[:ssl_client_ca_auth]
   }),

   ssl_host = Puppet::SSL::Host.localhost)
   reset!
   @ssl_configuration = ssl_configuration
   @ssl_host = ssl_host
 end

 def call(preverify_ok, store_context)
   if preverify_ok
     ...
   else
     ...
     crl = store_context.current_crl
     if crl
       if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
         ...
       else
         @verify_errors << "#{error_string} for #{crl.issuer}"
       end
       ...
     end
   end
 end

如果 preverify_ok 為 false,則 else 子句適用。結果if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS為假,因為時間已經被額外的一天存根,否則將適用。@verify_errors << "#{error_string} for #{crl.issuer}"中的結果評估CRL is not yet valid for /CN=Puppet CA: puppetmaster.example.com

為了解決這個問題:

  1. 同步 Puppet-agent 和 Puppetmaster 之間的時間。NTP 伺服器是否在兩個節點上都執行(良好)?
  2. 從代理中刪除或重命名完整的 ssl 文件夾 ( /var/lib/puppet/ssl )。
  3. 通過發出從主伺服器撤銷證書sudo puppet cert clean <fqdn-puppet-agent>
  4. 如果禁用自動簽名,請簽署證書
  5. 在代理上執行 puppet

總之,Puppet-agents 和 Puppetmaster 上的時間應該一直同步。超過 5 分鐘的最大允許偏差將導致問題。

引用自:https://serverfault.com/questions/655090