如何让Puppet提供适当的证书?

时间:2014-08-01 23:00:40

标签: puppet

我试图连接我的puppetmaster和我的puppet客户端。我一直遇到证书问题。我原本试图使用puppetmaster的IP地址(因为我们没有设置DNS),但现在我认为在设置新机器时我必须编辑hosts文件将puppet映射到其IP地址。

所以,一旦我这样做,我仍然有问题。一些背景:在主人身上,我试图摆脱几次服务器证书并重新创建一个新证书。我认为这导致了问题,因为日志说它已被撤销。 devtest是傀儡代理人。

当我尝试测试代理时会发生这种情况。

[root@devtest puppet]# puppet agent --test --server puppet
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Could not retrieve fact='ipaddress', resolution='<anonymous>': Could not execute 'host devtest': command not found
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=servername.mydomain.com]

如果我正确理解第一个错误,则表示master服务器为servername.mydomain.com提供的证书已被撤销。 (我已编辑日志以删除实际的服务器名称和域名。)

所以我希望puppetmaster提供新证书。我进入它,并停止Apache服务(因此它不会将证书保存在内存中)。

然后我删除了ssl文件夹,并尝试重新生成puppet证书:

[ZachDev@mon puppet]$ sudo puppet master --verbose --no-daemonize
Info: Creating a new SSL key for ca
Info: Creating a new SSL certificate request for ca
Info: Certificate Request fingerprint (SHA256): 17:F7:19:23:E6:99:BD:DD:3D:E6:F1:DD:35:8A:A6:81:8D:96:7D:15:63:EC:51:21:65:96:D1:24:FA:97:1B:07
Notice: Signed certificate request for ca
Info: Creating a new certificate revocation list
Info: Creating a new SSL key for 10.128.119.155
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for 10.128.119.155
Info: Certificate Request fingerprint (SHA256): BE:C8:B9:FF:1F:7A:49:1F:4F:97:E4:37:A3:9E:12:19:6F:41:3B:DB:DE:CB:AA:03:D8:02:94:D1:68:49:13:9C
Notice: 10.128.119.155 has a waiting certificate request
Notice: Signed certificate request for 10.128.119.155
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/ca/requests/10.128.119.155.pem'
Notice: Removing file Puppet::SSL::CertificateRequest 10.128.119.155 at '/etc/puppet/ssl/certificate_requests/10.128.119.155.pem'
Notice: Starting Puppet master version 3.6.2
^CNotice: Caught INT; calling stop

那很有用。现在我重新启动Apache,并收到错误。 systemctl status httpd.service没有说任何有用的内容,但是/var/log/httpd/puppet-server-example.com_ssl_error.log可以:

[Fri Aug 01 18:48:49.383002 2014] [ssl:warn] [pid 25661] AH01906: RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Aug 01 18:48:49.383028 2014] [ssl:warn] [pid 25661] AH01909: RSA certificate configured for servername.mydomain.com:8140 does NOT include an ID which matches the server name
[Fri Aug 01 18:48:49.383044 2014] [ssl:emerg] [pid 25661] AH02238: Unable to configure RSA server private key
[Fri Aug 01 18:48:49.383071 2014] [ssl:emerg] [pid 25661] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

此时,我只是猜测配置文件的设置应该是什么。我假设需要更改一些配置文件 - Apache配置或Puppet配置,但此时我不确定正确的证书是什么。我在/var/lib/puppet/ssl/etc/puppet/ssl中拥有证书。

1 个答案:

答案 0 :(得分:4)

您的设置存在多个问题。你确实需要

  1. 为主服务器选择一个FQDN,并确保代理可以解析它
    • 通过各自的hosts文件或
    • dnsmasq
  2. 告诉主人使用该名称作为其SSL CN

    3. 首先,确保主人使用正确的名称。将其添加到主服务器上的/etc/puppet/puppet.conf

    [master]
certname=server.mydomain.com

    重启主人。它应该为自己签署一个新证书(注意它是如何将10.128.119.155视为其名称并将其用作CN - 这是不合理的。)

    接下来,确保Apache使用此证书而不是CA证书。

    SSLCertificateFile /var/lib/puppet/ssl/certs/server.mydomain.com.pem

    (您可以使用/var/lib/puppet/ssl确保puppet master --configprint ssldir是正确的路径。

    您的主人现在应该有一份有效的证书。如果代理通过其FQDN到达它,则SSL握手应该成功。

相关问题
最新问题