服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 傀儡证书validation即使在证书重新生成后也失败
Intereting Posts
无法从域控制器连接到Internet 在本地使用Consul和Bind9作为服务公开MySql 通过源IP限制传入的静态NAT连接 主机命令尝试几个服务器 用石墨监测 – 耳语不保存指标 通过远程桌面login到Windows 2012 R2后,“访问被拒绝”信息 服务器通常是很慢的服务网页,需要很长时间ssh进入 将邮件redirect到没有域名的网站 如何将子域设置为默认域? 如何限制一个进程可以在linux中使用的内存大小 为外部域设置虚拟主机? MySQL 5.6.10安全吗? 通过networking克隆服务器的整个分区 KVM桥接连接不转发端口? 是否可以阻止对API的外部请求?

傀儡证书validation即使在证书重新生成后也失败

概要

我不得不重build一个服务器,并遇到一个有趣的问题。 木偶拒绝validation证书,甚至在删除/ var / lib / puppet / ssl并清除主证书之后。

服务器

主:
操作系统:Ubuntu 14.04
木偶大师版本:3.4.3-1(使用Webrick)

代理:
操作系统:Ubuntu 12.04
木偶版本:2.7.11
(请注意,我在下面的输出中用“agent-server.com”replace了主机名)

复制步骤

错误消息:

代理: 

root@agent-server:~# puppet agent -t info: Creating a new SSL key for agent-server.com info: Caching certificate for ca info: Creating a new SSL certificate request for agent-server.com info: Certificate Request fingerprint (md5): F2:2A:AD:3C:D5:E8:13:82:1D:C5:80:B4:FD:23:C4:86 info: Caching certificate for agent-server.com info: Caching certificate_revocation_list for ca err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client

木偶大师 

 [2017-08-29 18:08:51] 10.88.0.208 - - [29/Aug/2017:18:08:51 UTC] "GET /production/certificate/ca? HTTP/1.1" 200 1939 [2017-08-29 18:08:51] - -> /production/certificate/ca? [2017-08-29 18:08:51] 10.88.0.208 - - [29/Aug/2017:18:08:51 UTC] "GET /production/certificate/agent-server.com? HTTP/1.1" 404 78 [2017-08-29 18:08:51] - -> /production/certificate/agent-server.com? [2017-08-29 18:08:51] 10.88.0.208 - - [29/Aug/2017:18:08:51 UTC] "GET /production/certificate_request/agent-server.com? HTTP/1.1" 404 86 [2017-08-29 18:08:51] - -> /production/certificate_request/agent-server.com? [2017-08-29 18:08:51] 10.88.0.208 - - [29/Aug/2017:18:08:51 UTC] "PUT /production/certificate_request/agent-server.com HTTP/1.1" 200 1448 [2017-08-29 18:08:51] - -> /production/certificate_request/agent-server.com [2017-08-29 18:08:51] 10.88.0.208 - - [29/Aug/2017:18:08:51 UTC] "GET /production/certificate/agent-server.com? HTTP/1.1" 200 1448 [2017-08-29 18:08:51] - -> /production/certificate/agent-server.com? [2017-08-29 18:08:56] 10.88.0.208 - - [29/Aug/2017:18:08:56 UTC] "GET /production/certificate_revocation_list/ca? HTTP/1.1" 200 11220 [2017-08-29 18:08:56] - -> /production/certificate_revocation_list/ca? [2017-08-29 18:08:56] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: sslv3 alert certificate revoked /usr/lib/ruby/vendor_ruby/puppet/network/http/webrick.rb:35:in `accept' /usr/lib/ruby/vendor_ruby/puppet/network/http/webrick.rb:35:in `block (2 levels) in listen' /usr/lib/ruby/1.9.1/webrick/server.rb:191:in `call' /usr/lib/ruby/1.9.1/webrick/server.rb:191:in `block in start_thread' [2017-08-29 18:08:56] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 read client certificate A: sslv3 alert certificate revoked /usr/lib/ruby/vendor_ruby/puppet/network/http/webrick.rb:35:in `accept' /usr/lib/ruby/vendor_ruby/puppet/network/http/webrick.rb:35:in `block (2 levels) in listen' /usr/lib/ruby/1.9.1/webrick/server.rb:191:in `call' /usr/lib/ruby/1.9.1/webrick/server.rb:191:in `block in start_thread

因此,从日志来看,它看起来像证书正在被撤销,即使它是一个全新的。 另外,由于两台服务器距离非常近,所以不可能是时间问题,相隔2-3秒。

不幸的是我很难过。 任何帮助表示赞赏。

服务器拒绝您的客户端证书,因为它是由旧的服务器CA签署的。 从客户端主机中删除或移动您的旧客户端证书

sudo mv / var / lib / puppet / ssl /var/lib/puppet/ssl.old

然后从客户端主机再次触发代理。

另外服务器日志表明它可能来自主机之间的时间不匹配。 确保两台主机有相同的时间,并与NTP服务器同步。