主页 / server / 问题 / 400092
Accepted
Banjer
Asked: 2012-06-20 03:51:44 +0800 CST

PuppetDB:无法提交“替换事实”命令

  • 772

我最近撤销/清理了 Puppet 代理证书,这似乎对 PuppetDB 产生了负面影响。我看到这里已经提交了一个错误,其中包含一些有关解决该问题的说明。一位用户在这里遇到了类似的问题,但这些都不适合我。

服务器运行 CentOS 6.2、Puppet 2.7.13 和 Puppet DB 0.9。错误是:

root@harp:/etc/puppetdb/ssl> puppet agent --test
err: Cached facts for harp failed: Failed to find facts from PuppetDB at harp.mydomain.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
info: Loading facts in /etc/puppet/modules/dns/lib/facter/datacenter.rb
info: Caching facts for harp
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
err: Could not run Puppet configuration client: Could not retrieve local facts: Failed to submit 'replace facts' command for harp to PuppetDB at harp.mydomain.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client

从我所见,NTP 工作正常,日期时间看起来不错。“harp”实际上是傀儡主服务器,所以代理和服务器之间的时间应该没有问题,因为它们是一样的。

旧证书:

root@harp:/etc/puppetdb/ssl> puppet cert list --all
+ harp  (DF:8F:65:36:58:4C:DE:66:2B:65:D1:E6:18:B7:F2:33)

清理并为代理生成新证书:

root@harp:/etc/puppetdb/ssl> puppet cert clean harp
notice: Revoked certificate with serial 18
notice: Removing file Puppet::SSL::Certificate harp at '/var/lib/puppet/ssl/ca/signed/harp.pem'
notice: Removing file Puppet::SSL::Certificate harp at '/var/lib/puppet/ssl/certs/harp.pem'
notice: Removing file Puppet::SSL::CertificateRequest harp at '/var/lib/puppet/ssl/certificate_requests/harp.pem'
notice: Removing file Puppet::SSL::Key harp at '/var/lib/puppet/ssl/private_keys/harp.pem'

root@harp:/etc/puppetdb/ssl> puppet agent --test
info: Creating a new SSL key for harp
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for harp
info: Certificate Request fingerprint (md5): 72:5E:99:6A:DE:B0:76:BD:1A:7D:FD:DC:A9:E8:71:AD
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled

root@harp:/etc/puppetdb/ssl> puppet cert list
  harp (72:5E:99:6A:DE:B0:76:BD:1A:7D:FD:DC:A9:E8:71:AD)

root@harp:/etc/puppetdb/ssl> puppet cert sign harp
notice: Signed certificate request for harp
notice: Removing file Puppet::SSL::CertificateRequest harp at '/var/lib/puppet/ssl/ca/requests/harp.pem'

root@harp:/etc/puppetdb/ssl> puppet cert list --all
+ harp  (4A:D4:90:87:15:1B:D3:FD:A8:15:D9:C0:FB:08:5C:79)

root@harp:/etc/puppetdb/ssl> service puppetdb restart
Stopping puppetdb: /etc/init.d/puppetdb: line 77: kill: (8623) - No such process
                                                           [FAILED]
Starting puppetdb:                                         [  OK  ]

那么好吧,再次重新启动以备不时之需:

root@harp:/etc/puppetdb/ssl> service puppetdb restart
Stopping puppetdb:                                         [  OK  ]
Starting puppetdb:                                         [  OK  ]

运行SSL 配置脚本

root@harp:/etc/puppetdb/ssl> /usr/sbin/puppetdb-ssl-setup
cp: cannot stat `/var/lib/puppet/ssl/certs/harp.pem': No such file or directory

root@harp:/etc/puppetdb/ssl> ls -la /var/lib/puppet/ssl/certs
total 12
drwxr-xr-x 2 puppet root 4096 Jun 19 07:19 ./
drwxrwx--x 8 puppet root 4096 Apr 24 10:04 ../
-rw-r--r-- 1 puppet root 1854 Apr 24 10:04 ca.pem

那么好吧,再试一次:

root@harp:/etc/puppetdb/ssl> /usr/sbin/puppetdb-ssl-setup
Certificate was added to keystore
Usage: pkcs12 [options]
where options are
-export       output PKCS12 file
-chain        add certificate chain
-inkey file   private key if not infile
-certfile f   add all certs in f
-CApath arg   - PEM format directory of CA's
-CAfile arg   - PEM format file of CA's
-name "name"  use name as friendly name
-caname "nm"  use nm as CA friendly name (can be used more than once).
-in  infile   input filename
...snip...
-CSP name     Microsoft CSP name
-LMK          Add local machine keyset attribute to private key

/etc/puppetdb/ssl 中的密钥库似乎没有更改/重新生成。此时运行puppet agent --test同样报错,重启puppet和puppetdb也无济于事。

密钥库信息:

root@harp:/etc/puppetdb/ssl> keytool -list -keystore /etc/puppetdb/ssl/keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

harp.mydomain.com, May 25, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): 06:A8:D3:2A:70:F3:6D:34:62:91:45:22:8A:C4:A8:86
root@harp:/etc/puppetdb/ssl> keytool -list -keystore /etc/puppetdb/ssl/truststore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

puppetdb ca, May 25, 2012, trustedCertEntry,
Certificate fingerprint (MD5): 13:AD:D8:BC:42:40:47:BB:D2:5C:ED:3C:D1:78:26:88
root@harp:/etc/puppetdb/ssl> puppet cert --fingerprint ca harp.mydomain.com
ca 13:AD:D8:BC:42:40:47:BB:D2:5C:ED:3C:D1:78:26:88
err: Could not call fingerprint: Could not find a certificate or csr for harp.mydomain.com

root@harp:/etc/puppetdb/ssl> puppet cert --fingerprint ca harp
ca 13:AD:D8:BC:42:40:47:BB:D2:5C:ED:3C:D1:78:26:88
harp 4A:D4:90:87:15:1B:D3:FD:A8:15:D9:C0:FB:08:5C:79

如何让 puppetdb 密钥库真正重新生成?我尝试删除 /etc/puppetdb/ssl/ 中的文件,但没有成功。

puppet ssl puppetdb

4 个回答

  1. Best Answer

    我开始了,但不能确切地说出哪些步骤是必要的,哪些是不需要的。

    出现此问题是因为多台主机上的身份验证速度缓慢或挂起,并且似乎与域控制器/DNS 缓存问题有关。从 puppet master 和 agents 上删除domain mydomain.com条目/etc/resolv.conf解决了这个问题,但这给现有的 puppet 证书带来了问题。我puppet cert clean --all在 master 上运行以尝试重新创建所有证书,但这在 PuppetDB 上效果不佳。

    解决方案

    清除 master 上的旧证书:

    puppet cert clean --all

    清除所有代理上的旧证书:

    rm -rf /var/lib/puppet/ssl

    重新创建 PuppetDB 密钥库:

    facter fqdndomain foo.com从中删除后不可用/etc/resolv.conf。这会puppetdb-ssl-setup导致静默失败。

    编辑/usr/sbin/puppetdb-ssl-setup,添加一段代码使用just facter hostnameif facter fqdnis empty:

    # near line 10
fqdn=`facter fqdn`
# add this "if" section
if [ ! -n "$fqdn" ] ; then
  fqdn=`facter hostname`
fi

    权限修复:

    chown -R puppetdb:puppetdb /etc/puppetdb/ssl

    使用新的密钥库/信任库密码(相同的密码)更新 /etc/puppetdb/conf.d/jetty.ini 中的密码,您可以从以下位置获得:

    cat /etc/puppetdb/ssl/puppetdb_keystore_pw.txt

    重启木偶数据库

    service puppetdb restart

    然后转到每个代理并请求新证书并在每个代理上签名。

    • 4

  2. 当您的 puppetdb 内存设置太低时,也会发生这种情况。

    vim /etc/default/puppetdb

    编辑行

    JAVA_ARGS="-Xmx192m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/puppetdb/puppetdb-oom.hprof -Djava.security.egd=file:/dev/urandom"

    应该成为

    JAVA_ARGS="-Xmx1024m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/puppetdb/puppetdb-oom.hprof -Djava.security.egd=file:/dev/urandom"

    并重启 puppetdb

    sudo service puppetdb restart
    • 1

  3. 有一个类似的问题。解决方案:

    1.) 删除 master 上的 pe-puppetdb pid 文件 2.) 停止 master 上的 pe-puppetdb 服务 3.) 在 master 上启动 pe-puppetdb 服务等待 30 秒。

    • 0

  4. 将 puppet master(包括从 1.6.3 到 2.3.8 的 puppetdb)从 3.7.x 升级到 3.8.x 后,我遇到了类似的问题,并收到以下错误消息:

    Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for puppet-client to PuppetDB at puppetmaster:8081: Connection refused - connect(2)

    解决方案一方面是重新启动 puppetdb,另一方面也重新启动 puppet 代理客户端。之后,代理能够继续其工作。

    • 0

相关问题