Ssl

PuppetDB:未能送出“替換事實”命令

  • December 28, 2018

我最近撤銷/清理了一個 Puppet 代理證書,這似乎對 PuppetDB 產生了負面影響。我看到這裡已經送出了一個錯誤,其中包含一些解決問題的說明。一位使用者在這裡遇到了類似的問題,但這些都不適合我。

伺服器執行 CentOS 6.2、Puppet 2.7.13 和 Puppet DB 0.9。錯誤是:

root@harp:/etc/puppetdb/ssl> puppet agent --test
err: Cached facts for harp failed: Failed to find facts from PuppetDB at harp.mydomain.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
info: Loading facts in /etc/puppet/modules/dns/lib/facter/datacenter.rb
info: Caching facts for harp
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
err: Could not run Puppet configuration client: Could not retrieve local facts: Failed to submit 'replace facts' command for harp to PuppetDB at harp.mydomain.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client

從我看到的情況來看,NTP 工作正常,而且日期時間看起來不錯。“豎琴”實際上是傀儡主伺服器,因此代理和伺服器之間的時間應該沒有問題,因為它們是相同的。

舊證書:

root@harp:/etc/puppetdb/ssl> puppet cert list --all
+ harp  (DF:8F:65:36:58:4C:DE:66:2B:65:D1:E6:18:B7:F2:33)

清理並為代理生成新證書:

root@harp:/etc/puppetdb/ssl> puppet cert clean harp
notice: Revoked certificate with serial 18
notice: Removing file Puppet::SSL::Certificate harp at '/var/lib/puppet/ssl/ca/signed/harp.pem'
notice: Removing file Puppet::SSL::Certificate harp at '/var/lib/puppet/ssl/certs/harp.pem'
notice: Removing file Puppet::SSL::CertificateRequest harp at '/var/lib/puppet/ssl/certificate_requests/harp.pem'
notice: Removing file Puppet::SSL::Key harp at '/var/lib/puppet/ssl/private_keys/harp.pem'

root@harp:/etc/puppetdb/ssl> puppet agent --test
info: Creating a new SSL key for harp
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for harp
info: Certificate Request fingerprint (md5): 72:5E:99:6A:DE:B0:76:BD:1A:7D:FD:DC:A9:E8:71:AD
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled

root@harp:/etc/puppetdb/ssl> puppet cert list
 harp (72:5E:99:6A:DE:B0:76:BD:1A:7D:FD:DC:A9:E8:71:AD)

root@harp:/etc/puppetdb/ssl> puppet cert sign harp
notice: Signed certificate request for harp
notice: Removing file Puppet::SSL::CertificateRequest harp at '/var/lib/puppet/ssl/ca/requests/harp.pem'

root@harp:/etc/puppetdb/ssl> puppet cert list --all
+ harp  (4A:D4:90:87:15:1B:D3:FD:A8:15:D9:C0:FB:08:5C:79)

root@harp:/etc/puppetdb/ssl> service puppetdb restart
Stopping puppetdb: /etc/init.d/puppetdb: line 77: kill: (8623) - No such process
                                                          [FAILED]
Starting puppetdb:                                         [  OK  ]

好的,然後再次重新啟動以獲得良好的效果:

root@harp:/etc/puppetdb/ssl> service puppetdb restart
Stopping puppetdb:                                         [  OK  ]
Starting puppetdb:                                         [  OK  ]

執行SSL 配置腳本

root@harp:/etc/puppetdb/ssl> /usr/sbin/puppetdb-ssl-setup
cp: cannot stat `/var/lib/puppet/ssl/certs/harp.pem': No such file or directory

root@harp:/etc/puppetdb/ssl> ls -la /var/lib/puppet/ssl/certs
total 12
drwxr-xr-x 2 puppet root 4096 Jun 19 07:19 ./
drwxrwx--x 8 puppet root 4096 Apr 24 10:04 ../
-rw-r--r-- 1 puppet root 1854 Apr 24 10:04 ca.pem

好的,然後再試一次以取得好成績:

root@harp:/etc/puppetdb/ssl> /usr/sbin/puppetdb-ssl-setup
Certificate was added to keystore
Usage: pkcs12 [options]
where options are
-export       output PKCS12 file
-chain        add certificate chain
-inkey file   private key if not infile
-certfile f   add all certs in f
-CApath arg   - PEM format directory of CA's
-CAfile arg   - PEM format file of CA's
-name "name"  use name as friendly name
-caname "nm"  use nm as CA friendly name (can be used more than once).
-in  infile   input filename
...snip...
-CSP name     Microsoft CSP name
-LMK          Add local machine keyset attribute to private key

/etc/puppetdb/ssl 中的密鑰庫似乎沒有更改/重新生成。此時執行puppet agent --test也出現同樣的錯誤,重啟puppet和puppetdb也無濟於事。

密鑰庫資訊:

root@harp:/etc/puppetdb/ssl> keytool -list -keystore /etc/puppetdb/ssl/keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

harp.mydomain.com, May 25, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): 06:A8:D3:2A:70:F3:6D:34:62:91:45:22:8A:C4:A8:86
root@harp:/etc/puppetdb/ssl> keytool -list -keystore /etc/puppetdb/ssl/truststore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

puppetdb ca, May 25, 2012, trustedCertEntry,
Certificate fingerprint (MD5): 13:AD:D8:BC:42:40:47:BB:D2:5C:ED:3C:D1:78:26:88
root@harp:/etc/puppetdb/ssl> puppet cert --fingerprint ca harp.mydomain.com
ca 13:AD:D8:BC:42:40:47:BB:D2:5C:ED:3C:D1:78:26:88
err: Could not call fingerprint: Could not find a certificate or csr for harp.mydomain.com

root@harp:/etc/puppetdb/ssl> puppet cert --fingerprint ca harp
ca 13:AD:D8:BC:42:40:47:BB:D2:5C:ED:3C:D1:78:26:88
harp 4A:D4:90:87:15:1B:D3:FD:A8:15:D9:C0:FB:08:5C:79

如何讓 puppetdb 密鑰庫真正重新生成?我嘗試刪除 /etc/puppetdb/ssl/ 中的文件,但沒有運氣。

我搞定了,但不能確切地說出哪些步驟是必要的。

之所以出現此問題,是因為多台主機上的身份驗證速度很慢或掛起,並且似乎與域控制器/DNS 記憶體問題有關。從 puppet master 和 agent 上刪除domain mydomain.com條目/etc/resolv.conf解決了這個問題,但這會導致現有 puppet 證書出現問題。我puppet cert clean --all在 master 上執行以嘗試重新創建所有證書,但這與 PuppetDB 並沒有很好地配合。

解決方案

清除 master 上的舊證書:

puppet cert clean --all

清除所有代理上的舊證書:

rm -rf /var/lib/puppet/ssl

重新創建 PuppetDB 密鑰庫:

facter fqdn``domain foo.com從中刪除後不可用/etc/resolv.conf。這會puppetdb-ssl-setup導致靜默失敗。

編輯/usr/sbin/puppetdb-ssl-setup,添加一段程式碼以使用facter hostnameiffacter fqdn為空:

# near line 10
fqdn=`facter fqdn`
# add this "if" section
if [ ! -n "$fqdn" ] ; then
 fqdn=`facter hostname`
fi

權限修復:

chown -R puppetdb:puppetdb /etc/puppetdb/ssl

使用新的密鑰庫/信任庫密碼(相同的密碼)更新 /etc/puppetdb/conf.d/jetty.ini 中的密碼,您可以從以下位置獲取:

cat /etc/puppetdb/ssl/puppetdb_keystore_pw.txt

重啟 puppetdb

service puppetdb restart

然後去每個代理並請求新證書並在主伺服器上簽名。

引用自:https://serverfault.com/questions/400092