服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 木偶:证书validation失败
Intereting Posts
如何使用快照和dd自动化GlusterFS备份? 带宽如何分配给并发用户? terminal服务器:如何为所有用户映射networking驱动器? 远程桌面服务安全吗? 从生产Web群集复制/复制stream量到testingWeb群集 有没有安全的方法来绕过一个非复制的DC? 木偶 – 复制几个文件到目录 如何在Windows 2008 R2中logging协商的SSL密码? 带有mPCI-E Sandisk的PCI-E将无法启动 DNS Active Directory区域复制范围(林vs域) BES从4.1.7升级到5 通过ssh隧道访问虚拟主机svn服务器 为什么要在JBoss中运行JIRA? 允许使用APF / iptables的OpenVZ容器的出站stream量 VM在备份结束时冻结

木偶:证书validation失败

由于拧了,我必须重新生成客户端和服务器证书。

据我所知,主证书是自动生成的。

所以我在客户端上生成密钥: 

MASTER # puppet cert clean --all Notice: Revoked certificate with serial 2 Notice: Revoked certificate with serial 6 Notice: Removing file Puppet::SSL::Certificate puppet.x.com at '/var/lib/puppet/ssl/ca/signed/puppet.x.com.pem' Notice: Removing file Puppet::SSL::Certificate puppet.x.com at '/var/lib/puppet/ssl/certs/puppet.x.com.pem' Notice: Removing file Puppet::SSL::Key puppet.x.com at '/var/lib/puppet/ssl/private_keys/puppet.x.com.pem' Notice: Removing file Puppet::SSL::Certificate efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/ca/signed/efikamx-9ba3ab.x.com.pem' Notice: Removing file Puppet::SSL::Certificate efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/certs/efikamx-9ba3ab.x.com.pem' puppet agent --no-daemonize --onetime --verbose --waitforcert 60 notice: Did not receive certificate info: Caching certificate for efikamx-561a37.botnet.corp.flatturtle.com err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client notice: Using cached catalog err: Could not retrieve catalog; skipping run err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client MASTER # puppet cert sign --all Notice: Signed certificate request for efikamx-9ba3ab.x.com Notice: Removing file Puppet::SSL::CertificateRequest efikamx-9ba3ab.x.com at '/var/lib/puppet/ssl/ca/requests/efikamx-9ba3ab.x.com.pem' CLIENT # puppet agent -t info: Caching certificate for efikamx-9ba3ab.x.com err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client

在你问之前,是的,ntp正在运行,两个客户都有正确的时间。

什么是清除所有证书的正确方法,并正确地重新生成一切?

我跑了: 

 find /var/lib/puppet -type f -print0 |xargs -0r rm 

 rm -rf /var/lib/puppet/ssl/*

在客户端,但没有帮助。

顺便说一句,这是木偶2和木偶3的混合物。

显然这个问题是因为Apache还在运行(因此有一个通过Passenger产生的木偶大师)的事实。 

 MASTER /etc/apache2/sites-enabled # /etc/init.d/apache2 stop [ ok ] Stopping web server: apache2 ... waiting . MASTER /etc/apache2/sites-enabled # puppet cert clean --all Notice: Revoked certificate with serial 2 Notice: Removing file Puppet::SSL::Certificate puppet.x at '/var/lib/puppet/ssl/ca/signed/puppet.x.pem' Notice: Removing file Puppet::SSL::Certificate puppet.x at '/var/lib/puppet/ssl/certs/puppet.x.pem' Notice: Removing file Puppet::SSL::Key puppet.x at '/var/lib/puppet/ssl/private_keys/puppet.x.pem' MASTER /etc/apache2/sites-enabled # puppet master --no-daemonize --verbose Info: Creating a new SSL key for puppet.x Info: Creating a new SSL certificate request for puppet.x Info: Certificate Request fingerprint (SHA256): DB:8C:2D:71:54:C4:B7:03:79:38:E2:26:94:51:12:89:6F:E0:24:AC:F2:16:C0:5A:7A:B6:7D:4F:DD:6C:98:0D Notice: puppet.x has a waiting certificate request Notice: Signed certificate request for puppet.x Notice: Removing file Puppet::SSL::CertificateRequest puppet.x at '/var/lib/puppet/ssl/ca/requests/puppet.x.pem' Notice: Removing file Puppet::SSL::CertificateRequest puppet.x at '/var/lib/puppet/ssl/certificate_requests/puppet.x.pem' Notice: Starting Puppet master version 3.1.1 ^CNotice: Caught INT; calling stop MASTER /etc/apache2/sites-enabled # /etc/init.d/apache2 restart [ ok ] Restarting web server: apache2. MASTER /etc/apache2/sites-enabled # puppet cert sign --all Notice: Signed certificate request for efikamx-561a37.x Notice: Removing file Puppet::SSL::CertificateRequest efikamx-561a37.x at '/var/lib/puppet/ssl/ca/requests/efikamx-561a37.x.pem'

现在我可以正确地生成和签署客户端上的密钥: 

 CLIENT ~ # rm -rf /var/lib/puppet/ssl/* CLIENT ~ # puppet agent -t info: Creating a new SSL key for efikamx-9ba3ab.x.com info: Caching certificate for ca info: Creating a new SSL certificate request for efikamx-9ba3ab.x.com info: Certificate Request fingerprint (md5): 8C:9E:6E:95:B8:70:B9:A2:98:CB:A5:87:BC:66:33:A4 Exiting; no certificate found and waitforcert is disabled CLIENT ~ # puppet agent --no-daemonize --onetime --verbose --waitforcert 60 info: Caching certificate for efikamx-9ba3ab.x.com info: Caching certificate_revocation_list for ca info: Caching catalog for efikamx-9ba3ab.x.com info: Applying configuration version '1373327419' notice: /Stage[essential]/Efikamx-repository/File[/etc/apt/sources.list.d/multistrap-stable.list]/content: content changed '{md5}fbba0743add1cb9e54f7484b2c7a1f59' to '{md5}5941829a1b3a18b02f5bd6367e36e635' [...]