HTTPS迁移后etcd2集群不通信

Question

我正在遵循Coreos指南，在现有的etcd集群中启用HTTPS。链接到文档

我有两个问题：

1)在使用以下命令将对等URL重新配置为HTTPS之后，如文档中所述：

etcdctl member list | awk -F'[: =]' '{print "etcdctl member update "$1" https:"$7":"$8}'

输出与文档相同，但运行后的输出是什么：

etcdctl member list

我应该看到peerUrls被更新为HTTPs？

2)我继续配置文档并更改etcd客户端URL。完成此操作后，集群将完全停止通信：

etcd2[5063]: 5ebdc721c084a4b1 is starting a new election at term 20548
etcd2[5063]: 5ebdc721c084a4b1 became candidate at term 20549
etcd2[5063]: 5ebdc721c084a4b1 received vote from 5ebdc721c084a4b1 at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to d5df37b45e3cb90f at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to f3aee5692d89a2a3 at term 20549
etcd2[5063]: 5ebdc721c084a4b1 [logterm: 20478, index: 6405417] sent vote request to fb362473ced21e89 at term 20549
etcd2[5063]: the connection to peer d5df37b45e3cb90f is unhealthy
etcd2[5063]: the connection to peer f3aee5692d89a2a3 is unhealthy
etcd2[5063]: the connection to peer fb362473ced21e89 is unhealthy

当我运行以下命令进行调试时：

sudo etcdctl --ca-file /etc/ssl/etcd/ca.pem --cert-file /etc/ssl/etcd/server.pem --key-file /etc/ssl/etcd/server-key.pem member list

我得到以下输出

Failed to get leader:  client: etcd cluster is unavailable or misconfigured

当我像在文档中一样运行curl时，它会给出正确的输入。

curl --cacert /etc/ssl/etcd/ca.pem --cert /etc/ssl/etcd/server.pem --key /etc/ssl/etcd/server-key.pem https://172.16.0.2:2379/v2/stats/self
{"name":"coreos0","id":"5ebdc721c084a4b1","state":"StateFollower","startTime":"2017-03-21T11:33:13.964177689+03:00","leaderInfo":{"leader":"fb362473ced21e89","uptime":"13m37.308602575s","startTime":"2017-03-21T11:33:14.480109854+03:00"},"recvAppendRequestCnt":33,"sendAppendRequestCnt":0}

我的配置

/run/systemd/system/etcd2.service.d/20-cloudinit.conf

[Service]
Environment="ETCD_ADVERTISE_CLIENT_URLS=http://172.16.0.2:2379"
Environment="ETCD_INITIAL_ADVERTISE_PEER_URLS=http://172.16.0.2:2380"
Environment="ETCD_INITIAL_CLUSTER=coreos1=http://172.16.0.4:2380,coreos2=http://172.16.0.5:2380,coreos0=http://172.16.0.2:2380"
Environment="ETCD_INITIAL_CLUSTER_STATE=new"
Environment="ETCD_INITIAL_CLUSTER_TOKEN=cluster1"
Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379"
Environment="ETCD_LISTEN_PEER_URLS=http://172.16.0.2:2380"
Environment="ETCD_NAME=coreos0"

/etc/systemd/system/etcd2.service.d/25-insecure_localhost.conf

[Service]
Environment="ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379,http://127.0.0.1:4001"

/etc/systemd/system/etcd2.service.d/30-certs.conf

[Service]
Environment="ETCD_CERT_FILE=/etc/ssl/etcd/server.pem"
Environment="ETCD_KEY_FILE=/etc/ssl/etcd/server-key.pem"
Environment="ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
Environment="ETCD_CLIENT_CERT_AUTH=true"
Environment="ETCD_PEER_CERT_FILE=/etc/ssl/etcd/server.pem"
Environment="ETCD_PEER_KEY_FILE=/etc/ssl/etcd/server-key.pem"
Environment="ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/etcd/ca.pem"
Environment="ETCD_PEER_CLIENT_CERT_AUTH=true"

/etc/systemd/system/etcd2.service.d/40-tls.conf

[Service]
Environment="ETCD_ADVERTISE_CLIENT_URLS=https://172.16.0.2:2379"
Environment="ETCD_LISTEN_CLIENT_URLS=https://0.0.0.0:2379,http://127.0.0.1:4001"
Environment="ETCD_LISTEN_PEER_URLS=https://0.0.0.0:2380"

提前谢谢你

Answer 1

cfssl中有一个错误，导致对等证书生成错误。在用echo创建再生之后，这个问题就重新出现了。