HTTPS迁移后,etcd2集群无法通信

时间:2017-03-21 09:03:27

标签: coreos etcd2

我正在遵循Coreos指南,在现有的etcd群集中启用HTTPS。 Link to Documentation

我有两个问题:

1)使用文档中所述的以下命令将对等URL重新配置为HTTPS:

etcdctl member list | awk -F'[: =]' '{print "etcdctl member update "$1" https:"$7":"$8}'

输出与文档相同,但运行后我想要的输出是什么:

etcdctl member list

我想看到peerUrls更新为HTTPs?

2)我继续配置文档并更改了etcd客户端URL。完成后,群集完全停止通信:

etcd2[5063]: 5ebdc721c084a4b1 is starting a new election at term 20548
etcd2[5063]: 5ebdc721c084a4b1 became candidate at term 20549
etcd2[5063]: 5ebdc721c084a4b1 received vote from 5ebdc721c084a4b1 at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to d5df37b45e3cb90f at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to f3aee5692d89a2a3 at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to fb362473ced21e89 at term 20549
etcd2[5063]: the connection to peer d5df37b45e3cb90f is unhealthy
etcd2[5063]: the connection to peer f3aee5692d89a2a3 is unhealthy
etcd2[5063]: the connection to peer fb362473ced21e89 is unhealthy

当我运行以下命令进行调试时:

sudo etcdctl --ca-file /etc/ssl/etcd/ca.pem --cert-file /etc/ssl/etcd/server.pem --key-file /etc/ssl/etcd/server-key.pem member list

我得到以下输出

Failed to get leader:  client: etcd cluster is unavailable or misconfigured

当我在文档中运行curl时,它会给我正确的输入

curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/server.pem --key /etc/ssl/etcd/server-key.pem https://172.16.0.2:2379/v2/stats/self
{"name":"coreos0","id":"5ebdc721c084a4b1","state":"StateFollower","startTime":"2017-03-21T11:33:13.964177689+03:00","leaderInfo":{"leader":"fb362473ced21e89","uptime":"13m37.308602575s","startTime":"2017-03-21T11:33:14.480109854+03:00"},"recvAppendRequestCnt":33,"sendAppendRequestCnt":0}

我的配置

/run/systemd/system/etcd2.service.d/20-cloudinit.conf 

[Service]
Environment="ETCD_ADVERTISE_CLIENT_URLS=http://172.16.0.2:2379"
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=http://172.16.0.2:2380"
Environment="ETCD_INITIAL_CLUSTER=coreos1=http://172.16.0.4:2380,coreos2=http://172.16.0.5:2380,coreos0=http://172.16.0.2:2380"
Environment="ETCD_INITIAL_CLUSTER_STATE=new"
Environment="ETCD_INITIAL_CLUSTER_TOKEN=cluster1"
Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379"
Environment="ETCD_LISTEN_PEER_URLS=http://172.16.0.2:2380"
Environment="ETCD_NAME=coreos0"

/etc/systemd/system/etcd2.service.d/25-insecure_localhost.conf 

[Service]
Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379,http://127.0.0.1:4001"

/etc/systemd/system/etcd2.service.d/30-certs.conf 

[Service]
Environment="ETCD_CERT_FILE=/etc/ssl/etcd/server.pem"
Environment="ETCD_KEY_FILE=/etc/ssl/etcd/server-key.pem"
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
Environment="ETCD_CLIENT_CERT_AUTH=true"
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/etcd/server.pem"
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/etcd/server-key.pem"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"

/etc/systemd/system/etcd2.service.d/40-tls.conf 

[Service]
Environment="ETCD_ADVERTISE_CLIENT_URLS=https://172.16.0.2:2379"
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379,http://127.0.0.1:4001"
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380"

提前谢谢

1 个答案:

答案 0 :(得分:0)

cfssl中存在一个错误,导致生成对等证书错误。在使用echo创建再生之后,问题就会重新出现。

相关问题
最新问题