我正在运行Puppet的以下设置:
puppet-server-3.2.1-2.2和openssl-1.0.0-27.el6_4.2.x86_64 CentOS 6.4 x86_64 puppet-0.25.6-1.el4 RedHat AS 4.8 x86和openssl-0.9.7a-43.20.el4 puppet-2.6.18-3.el5和openssl-0.9.8e-26.el5_9.1 RHEL 5.10 x86 我注意到我的RedHat 4代理无法连接到我的Puppet master,我想这是因为与RH4打包在一起的libssl的版本(在我的情况下为0.9.7a-43.20 )无法pipe理由Puppet服务器生成的摘要。
我进行的testing:
0.9.7a-43.20.el4 ): # openssl s_client -host puppetmaster.test.lan -port 8140 -cert /etc/puppet/ssl/certs/rh4as.test.lan.pem -key /etc/puppet/ssl/private_keys/rh4as.test.lan.pem -CAfile /etc/puppet/ssl/certs/ca.pem CONNECTED(00000003) depth=1 /CN=Puppet CA: puppetmaster.test.lan verify return:1 depth=0 /CN=puppetmaster.test.lan verify error:num=7:certificate signature failure verify return:1 depth=0 /CN=puppetmaster.test.lan verify return:1 --- Certificate chain 0 s:/CN=puppetmaster.test.lan i:/CN=Puppet CA: puppetmaster.test.lan 1 s:/CN=Puppet CA: puppetmaster.test.lan i:/CN=Puppet CA: puppetmaster.test.lan --- Server certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- subject=/CN=puppetmaster.test.lan issuer=/CN=Puppet CA: puppetmaster.test.lan --- No client certificate CA names sent --- SSL handshake has read 3793 bytes and written 2853 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 8B8607495273640FB4BCB80C5C1CE261FED1633CA112C1D216BE187EDEA81F77 Session-ID-ctx: Master-Key: A2A3AC5B0679C27FFE070D0B3154233EC4D0F17310148AE7B6FF502A7DB95679D33BB097C0ED89AE67AA42E95BD4D952 Key-Arg : None Krb5 Principal: None Start Time: 1392216496 Timeout : 300 (sec) Verify return code: 7 (certificate signature failure) --- closed
0.9.8e-26.el5_9.1 ): # openssl s_client -host puppetmaster.test.lan -port 8140 -cert /etc/puppet/ssl/certs/rhel5.test.lan.pem -key /etc/puppet/ssl/private_keys/rhel5.test.lan.pem -CAfile /etc/puppet/ssl/certs/ca.pem CONNECTED(00000003) depth=1 /CN=Puppet CA: puppetmaster.test.lan verify return:1 depth=0 /CN=puppetmaster.test.lan verify return:1 --- Certificate chain 0 s:/CN=puppetmaster.test.lan i:/CN=Puppet CA: puppetmaster.test.lan 1 s:/CN=Puppet CA: puppetmaster.test.lan i:/CN=Puppet CA: puppetmaster.test.lan --- Server certificate -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- subject=/CN=puppetmaster.test.lan issuer=/CN=Puppet CA: puppetmaster.test.lan --- No client certificate CA names sent --- SSL handshake has read 3793 bytes and written 2831 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 7B70B803D8D0FFC65F2696D337EB40CDE41D188F9F1BA1D7FE416DA326B49AFD Session-ID-ctx: Master-Key: BE57138CA99AA4AA59769B3E8396E9C25594264E196FB50DB066679EA569311521F1BBBCD25962B780A38D95A3AD9346 Key-Arg : None Krb5 Principal: None Start Time: 1392224552 Timeout : 300 (sec) Verify return code: 0 (ok) --- closed
# puppet cert --list --all + "rh4as.test.lan" (SHA256) 69:BD:D9:B6:31:6B:3E:90:9B:5E:1B:90:FA:24:08:1A:48:31:B1:17:65:DF:93:26:70:29:5A:C3:3E:C8:0F:7E + "rhel5.test.lan" (SHA256) 83:58:A9:25:7C:9A:41:C9:A7:7E:45:26:40:EE:D0:05:9A:31:6E:8D:15:CE:57:86:0C:DA:E0:D0:2A:9C:B3:DB + "puppetmaster.test.lan" (SHA256) 9C:AC:8E:CA:71:24:2B:BB:61:52:01:4F:F1:DF:BD:B6:25:6C:DA:61:44:E4:1E:71:77:DF:2F:BA:AE:A9:40:FD (alt names: "DNS:puppet", "DNS:puppet.test.lan", "DNS:puppetmaster.test.lan", "DNS:puppetmaster")
其他testing:
我读了这些链接:
我意识到我有两个select:
0.9.8 ( 1.0.0是安全的) SHA256降级到SHA1 (甚至可能是MD5 ) 不幸的是,选项#1(升级OpenSSL)不适用于我的环境。 所以我想我被卡在降级傀儡大师使用的摘要。 但是我不能在整个man puppet.conf中find一个可以用来实现这个目标的选项。 我试图玩keylength参数,但无济于事。
如果有人能帮我解决这个问题,我真的很感激。
在此先感谢大家。
看起来像在function#21029中讨论的问题:允许控制用于创buildCA证书的摘要 。 这似乎是一个解决方法,这不会在puppet中实现,所以您需要使用OpenSSL手动创build证书。
我最终将我的木偶大师版本从3.x分支降级到2.7.x(如在这篇文章中所示: https ://groups.google.com/forum/#!msg/puppet-dev/_jkdY1Hmq6U/QJ6nHP2ORtYJ)。
但是我认为sciurus的答案可能是有效的,正如我被Puppet开发者告知的那样,我可以通过设置符合SHA1的CA来解决这个问题。