mor*_*eyc 1 openssl puppet puppetmaster puppet-agent
我已经安装了puppet服务器和代理,在sudo /opt/puppetlabs/bin/puppetserver ca sign --certname mywindowshost服务器上接受初始代理请求。
我可以看到证书放置在下面并存在于服务器根 ca 和代理的证书中:
C:\Windows\system32>puppet agent --configprint localcacert
C:/ProgramData/PuppetLabs/puppet/etc/ssl/certs/ca.pem
但是,在代理上运行以下命令来测试它,我得到以下结果:
C:\Windows\system32>puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Info: Retrieving pluginfacts
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Info: Retrieving plugin
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: /File[C:/ProgramData/PuppetLabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get issuer certificate for /CN=Puppet CA: puppet.mydomain.com]
https://puppet.mydomain.com:8140/puppet-ca/v1/certificate/ca如果我在网络浏览器中浏览从代理计算机到CA 证书的浏览器,我就能够看到证书。
在客户端C:\ProgramData\PuppetLabs\puppet\etc\puppet.conf显示如下:
[main]
server=puppet.mydomain.com
autoflush=true
manage_internal_file_permissions=false
在服务器上/etc/puppetlabs/puppet/puppet.conf如下图所示:
[master]
dns_alt_names = puppet.mydomain.com,puppet-svr1
vardir = /opt/puppetlabs/server/data/puppetserver
logdir = /var/log/puppetlabs/puppetserver
rundir = /var/run/puppetlabs/puppetserver
pidfile = /var/run/puppetlabs/puppetserver/puppetserver.pid
codedir = /etc/puppetlabs/code
[main]
certname = puppet.mydomain.com
server = puppet.mydomain.com
environment = production
runinterval = 15m
在服务器上可以看到分类的证书:
admin@puppet-svr1:/etc/puppetlabs/puppet$ sudo /opt/puppetlabs/bin/puppetserver ca list --all
Signed Certificates:
home (SHA256) 5E:2D:70:03:B1:A4:81:50:ED:A7:10:88:FD:8E:D0:A6:85:0D:27:D9:A0:65:86:2D:D5:C6:08:B3:C9:4D:37:90
puppet.mydomain.com (SHA256) 4A:14:F1:FB:5D:23:AC:D9:D8:A3:EA:D7:F0:68:B2:7D:9C:46:4D:77:68:F7:E9:5A:3B:61:07:24:3F:20:6B:B3 alt names: ["DNS:puppet.mydomain.com", "DNS:puppet-svr1", "DNS:puppet.mydomain.com"]
所有 DNS 都在解析,无论是从服务器本身(通过其 IP 地址解析到自身)还是从代理。
代理和服务器之间的时间匹配并同步。
我还遵循了 CA 重置过程并得到了完全相同的错误https://puppet.com/docs/puppet/6.4/ssl_regenerate_certificates.html。
我注意到给出的证书https://puppet.mydomain.com:8140/puppet-ca/v1/certificate/ca包含两个证书(一个堆叠在另一个之上),而放置在代理目录中的C:/ProgramData/PuppetLabs/puppet/etc/ssl/certs/ca.pem证书仅包含其中一个证书(在-----BEGIN CERTIFICATE---- and -----END CERTIFICATE-----最顶部的 之间)。
更新发现的潜在问题 - 我现在已经certificate_revocation = false使用来自的完整链证书运行它https://puppet.mydomain.com:8140/puppet-ca/v1/certificate/ca
我相信我已经发现了这个问题,测试代理颁发的自动下载的 CA(只有一个 CA)我得到以下结果:
C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>openssl verify -CAfile ca.pem home-hv1.pem
home-hv1.pem: CN = Puppet CA: puppet.mydomain.com
error 2 at 1 depth lookup:unable to get issuer certificate
然后我将chain.ca(上面有两个证书)替换为 ca.pem 并重新运行:
C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>openssl verify -CAfile ca.pem home-hv1.pem
home-hv1.pem: OK
然而,当运行测试时,它抱怨没有 CRL(实际上我看不到生成的证书中提到的 CRL URL):
C:\ProgramData\PuppetLabs\puppet\etc\ssl\certs>puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=Puppet CA: puppet.mydomain.com]
将代理上的 puppet.conf 更新为:
[main]
server=puppet.mydomain.com
autoflush=true
manage_internal_file_permissions=false
certificate_revocation = false
并重新启动服务然后允许其运行:
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Retrieving locales
Info: Caching catalog for home-hv1
Info: Applying configuration version '1559933691'
我不喜欢在没有 CRL 的情况下运行,但为什么一开始就没有提供 CRL?
我错过了任何步骤或做错了什么,或者这是一个错误?
您还有什么想法可以检查一下,以便在不开箱即用的情况下使其正常工作吗?
我认为在某些版本的 puppetserver 中(或者可能在使用puppetserver ca setup初始化 CA 时),您的 CA 是使用链中的中间证书创建的,但是当客户端证书签名时,/etc/puppetlabs/puppet/ssl/certs/ca.pem客户端上没有该中间证书,因此您会得到一个错误如:
错误:/File[/opt/puppetlabs/puppet/cache/facts.d]:无法评估:无法检索 puppet:///pluginfacts 的文件元数据:SSL_connect 返回=1 errno=0 state=error:证书验证失败: [无法获取 /CN=Puppet CA: puppet.example.com 的颁发者证书]
错误:无法发送报告:SSL_connect 返回=1 errno=0 状态=错误:证书验证失败:[无法获取 /CN=Puppet CA 的颁发者证书:puppet.example.com]
或者即使在事情开始工作之后,证书吊销列表仍然失败:
错误:无法请求证书:请求https://puppet.example.com:8140//puppet-ca/v1/certificate/k8s-3813-kam1失败:SSL_connect 返回=1 errno=0 state=error:证书验证失败: [无法获取 /CN=Puppet CA: puppet.example.com 的证书 CRL]
一个简单的修复方法是下载完整的 CA 公钥并覆盖客户端上不正确的链。假设 puppet.example.com 是您的主人:
sudo wget --no-check-certificate https://puppet.example.com:8140/puppet-ca/v1/certificate/ca -O /etc/puppetlabs/puppet/ssl/certs/ca.pem
sudo puppet agent --test --certificate_revocation=false
# or you can add the following to your /etc/puppetlabs/puppet/puppet.conf
[main]
certificate_revocation = false
| 归档时间: |
|
| 查看次数: |
4954 次 |
| 最近记录: |