Puppet: falha na verificação do certificado

Navegue suas respostas
5

Devido a uma falha, tenho que regenerar o cliente & certificados de servidor.

Até onde eu sei, os certificados mestres são gerados automaticamente.

Então eu geramos chaves no cliente: 

MASTER # puppet cert clean --all
Notice: Revoked certificate with serial 2
Notice: Revoked certificate with serial 6
Notice: Removing file Puppet::SSL::Certificate puppet.x.com at '/var/lib/puppet/ssl/ca/signed/puppet.x.com.pem'
Notice: Removing file Puppet::SSL::Certificate puppet.x.com at '/var/lib/puppet/ssl/certs/puppet.x.com.pem'
Notice: Removing file Puppet::SSL::Key puppet.x.com at '/var/lib/puppet/ssl/private_keys/puppet.x.com.pem'
Notice: Removing file Puppet::SSL::Certificate efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/ca/signed/efikamx-9ba3ab.x.com.pem'
Notice: Removing file Puppet::SSL::Certificate efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/certs/efikamx-9ba3ab.x.com.pem'

puppet agent --no-daemonize  --onetime --verbose --waitforcert 60 
notice: Did not receive certificate
info: Caching certificate for efikamx-561a37.botnet.corp.flatturtle.com
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
notice: Using cached catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client

MASTER # puppet cert sign --all
Notice: Signed certificate request for efikamx-9ba3ab.x.com
Notice: Removing file Puppet::SSL::CertificateRequest efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/ca/requests/efikamx-9ba3ab.x.com.pem'

CLIENT # puppet agent -t
info: Caching certificate for efikamx-9ba3ab.x.com
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client

Antes de perguntar, sim, o ntp está em execução e os dois clientes têm a hora correta.

Qual é a maneira correta de limpar todos os certificados nas duas extremidades e regenerar tudo corretamente?

Eu corri: 

find /var/lib/puppet -type f -print0 |xargs -0r rm

e 

rm -rf /var/lib/puppet/ssl/*

no cliente, mas isso não ajudou.

Esta é uma mistura de Puppet 2 e Puppet 3 pelo caminho.

    
por Tuinslak 09.07.2013 / 01:09

1 resposta

6

Aparentemente, o problema estava no fato de que o Apache ainda estava em execução (e, portanto, ter um mestre de marionetes gerado via Passenger). 

MASTER /etc/apache2/sites-enabled # /etc/init.d/apache2 stop
[ ok ] Stopping web server: apache2 ... waiting .
MASTER /etc/apache2/sites-enabled # puppet cert clean --all
Notice: Revoked certificate with serial 2
Notice: Removing file Puppet::SSL::Certificate puppet.x at '/var/lib/puppet/ssl/ca/signed/puppet.x.pem'
Notice: Removing file Puppet::SSL::Certificate puppet.x at '/var/lib/puppet/ssl/certs/puppet.x.pem'
Notice: Removing file Puppet::SSL::Key puppet.x at '/var/lib/puppet/ssl/private_keys/puppet.x.pem'
MASTER /etc/apache2/sites-enabled # puppet master --no-daemonize --verbose
Info: Creating a new SSL key for puppet.x
Info: Creating a new SSL certificate request for puppet.x
Info: Certificate Request fingerprint (SHA256): DB:8C:2D:71:54:C4:B7:03:79:38:E2:26:94:51:12:89:6F:E0:24:AC:F2:16:C0:5A:7A:B6:7D:4F:DD:6C:98:0D
Notice: puppet.x has a waiting certificate request
Notice: Signed certificate request for puppet.x
Notice: Removing file Puppet::SSL::CertificateRequest puppet.x at '/var/lib/puppet/ssl/ca/requests/puppet.x.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppet.x at '/var/lib/puppet/ssl/certificate_requests/puppet.x.pem'
Notice: Starting Puppet master version 3.1.1
^CNotice: Caught INT; calling stop
MASTER /etc/apache2/sites-enabled # /etc/init.d/apache2 restart
[ ok ] Restarting web server: apache2.
MASTER /etc/apache2/sites-enabled # puppet cert sign --all
Notice: Signed certificate request for efikamx-561a37.x
Notice: Removing file Puppet::SSL::CertificateRequest efikamx-561a37.x at '/var/lib/puppet/ssl/ca/requests/efikamx-561a37.x.pem'

E agora posso gerar e assinar corretamente as chaves no cliente: 

CLIENT ~ # rm -rf /var/lib/puppet/ssl/*
CLIENT ~ # puppet agent -t
info: Creating a new SSL key for efikamx-9ba3ab.x.com
info: Caching certificate for ca
info: Creating a new SSL certificate request for efikamx-9ba3ab.x.com
info: Certificate Request fingerprint (md5): 8C:9E:6E:95:B8:70:B9:A2:98:CB:A5:87:BC:66:33:A4
Exiting; no certificate found and waitforcert is disabled
CLIENT ~ # puppet agent --no-daemonize  --onetime --verbose --waitforcert 60
info: Caching certificate for efikamx-9ba3ab.x.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for efikamx-9ba3ab.x.com
info: Applying configuration version '1373327419'
notice: /Stage[essential]/Efikamx-repository/File[/etc/apt/sources.list.d/multistrap-stable.list]/content: content changed '{md5}fbba0743add1cb9e54f7484b2c7a1f59' to '{md5}5941829a1b3a18b02f5bd6367e36e635'
[...]
    
por 09.07.2013 / 01:54

Tags

A atualização do Debian apt-get não funciona Como usar o Salt Stack com minions todos por trás do NAT (não publicamente acessível, portas padrão sal não abertas)?