PuppetDB:未能提交“替换事实”命令

Question

我最近撤销/清理了一个傀儡代理证书，这似乎对PuppetDB有负面影响。我看到一个bug已经被归档，这里提供了一些关于解决这个问题的说明。一个用户也有类似的问题这里，但这些都不适合我。

服务器正在运行CentOS 6.2、Puppe2.7.13和PuppedB0.9。错误是：

root@harp:/etc/puppetdb/ssl> puppet agent --test
err: Cached facts for harp failed: Failed to find facts from PuppetDB at harp.mydomain.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
info: Loading facts in /etc/puppet/modules/dns/lib/facter/datacenter.rb
info: Caching facts for harp
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client
err: Could not run Puppet configuration client: Could not retrieve local facts: Failed to submit 'replace facts' command for harp to PuppetDB at harp.mydomain.com:8081: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed.  This is often because the time is out of sync on the server or client

从我所看到的来看，NTP正在正常工作，而且日期时间看起来很好。"harp“实际上是傀儡主服务器，因此代理和服务器之间的时间不应该有问题，因为它们是相同的。

旧证书：

root@harp:/etc/puppetdb/ssl> puppet cert list --all
+ harp  (DF:8F:65:36:58:4C:DE:66:2B:65:D1:E6:18:B7:F2:33)

清洁和生成新的代理证书：

root@harp:/etc/puppetdb/ssl> puppet cert clean harp
notice: Revoked certificate with serial 18
notice: Removing file Puppet::SSL::Certificate harp at '/var/lib/puppet/ssl/ca/signed/harp.pem'
notice: Removing file Puppet::SSL::Certificate harp at '/var/lib/puppet/ssl/certs/harp.pem'
notice: Removing file Puppet::SSL::CertificateRequest harp at '/var/lib/puppet/ssl/certificate_requests/harp.pem'
notice: Removing file Puppet::SSL::Key harp at '/var/lib/puppet/ssl/private_keys/harp.pem'

root@harp:/etc/puppetdb/ssl> puppet agent --test
info: Creating a new SSL key for harp
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for harp
info: Certificate Request fingerprint (md5): 72:5E:99:6A:DE:B0:76:BD:1A:7D:FD:DC:A9:E8:71:AD
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled

root@harp:/etc/puppetdb/ssl> puppet cert list
  harp (72:5E:99:6A:DE:B0:76:BD:1A:7D:FD:DC:A9:E8:71:AD)

root@harp:/etc/puppetdb/ssl> puppet cert sign harp
notice: Signed certificate request for harp
notice: Removing file Puppet::SSL::CertificateRequest harp at '/var/lib/puppet/ssl/ca/requests/harp.pem'

root@harp:/etc/puppetdb/ssl> puppet cert list --all
+ harp  (4A:D4:90:87:15:1B:D3:FD:A8:15:D9:C0:FB:08:5C:79)

root@harp:/etc/puppetdb/ssl> service puppetdb restart
Stopping puppetdb: /etc/init.d/puppetdb: line 77: kill: (8623) - No such process
                                                           [FAILED]
Starting puppetdb:                                         [  OK  ]

好的，再重新启动一次，以获得良好的效果：

root@harp:/etc/puppetdb/ssl> service puppetdb restart
Stopping puppetdb:                                         [  OK  ]
Starting puppetdb:                                         [  OK  ]

运行SSL配置脚本

root@harp:/etc/puppetdb/ssl> /usr/sbin/puppetdb-ssl-setup
cp: cannot stat `/var/lib/puppet/ssl/certs/harp.pem': No such file or directory

root@harp:/etc/puppetdb/ssl> ls -la /var/lib/puppet/ssl/certs
total 12
drwxr-xr-x 2 puppet root 4096 Jun 19 07:19 ./
drwxrwx--x 8 puppet root 4096 Apr 24 10:04 ../
-rw-r--r-- 1 puppet root 1854 Apr 24 10:04 ca.pem

好的，再试一次好的测量方法：

root@harp:/etc/puppetdb/ssl> /usr/sbin/puppetdb-ssl-setup
Certificate was added to keystore
Usage: pkcs12 [options]
where options are
-export       output PKCS12 file
-chain        add certificate chain
-inkey file   private key if not infile
-certfile f   add all certs in f
-CApath arg   - PEM format directory of CA's
-CAfile arg   - PEM format file of CA's
-name "name"  use name as friendly name
-caname "nm"  use nm as CA friendly name (can be used more than once).
-in  infile   input filename
...snip...
-CSP name     Microsoft CSP name
-LMK          Add local machine keyset attribute to private key

似乎/etc/puppetdb/ssl中的密钥存储没有改变/重新生成。此时，运行puppet agent --test会导致相同的错误，而重新启动傀儡和傀儡数据库也没有帮助。

密钥存储信息：

root@harp:/etc/puppetdb/ssl> keytool -list -keystore /etc/puppetdb/ssl/keystore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

harp.mydomain.com, May 25, 2012, PrivateKeyEntry,
Certificate fingerprint (MD5): 06:A8:D3:2A:70:F3:6D:34:62:91:45:22:8A:C4:A8:86
root@harp:/etc/puppetdb/ssl> keytool -list -keystore /etc/puppetdb/ssl/truststore.jks
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

puppetdb ca, May 25, 2012, trustedCertEntry,
Certificate fingerprint (MD5): 13:AD:D8:BC:42:40:47:BB:D2:5C:ED:3C:D1:78:26:88
root@harp:/etc/puppetdb/ssl> puppet cert --fingerprint ca harp.mydomain.com
ca 13:AD:D8:BC:42:40:47:BB:D2:5C:ED:3C:D1:78:26:88
err: Could not call fingerprint: Could not find a certificate or csr for harp.mydomain.com

root@harp:/etc/puppetdb/ssl> puppet cert --fingerprint ca harp
ca 13:AD:D8:BC:42:40:47:BB:D2:5C:ED:3C:D1:78:26:88
harp 4A:D4:90:87:15:1B:D3:FD:A8:15:D9:C0:FB:08:5C:79

我如何才能让傀儡数据库密钥库真正再生呢？我尝试删除/etc/puppetdb/ssl/中的文件，但没有成功。

Answer 1

我已经准备好了，但不知道到底需要采取什么措施。

启动此问题是因为多个主机上的身份验证比较缓慢或挂起，并且似乎与域控制器/DNS缓存问题有关。在傀儡主服务器和代理上从domain mydomain.com中删除/etc/resolv.conf条目解决了这个问题，但这就给现有的傀儡证书带来了问题。我在主程序上运行了puppet cert clean --all来尝试重新创建所有的证书，但这并不能很好地处理PuppetDB。

溶液

清除师父的旧证书：

puppet cert clean --all

清除所有特工的旧证书：

rm -rf /var/lib/puppet/ssl

重新创建PuppetDB密钥存储：

从facter fqdn中删除domain foo.com后，/etc/resolv.conf不可用。这会导致puppetdb-ssl-setup默默地失败。

编辑/usr/sbin/puppetdb-ssl-setup，如果facter hostname为空，则添加一段仅使用facter fqdn的代码：

# near line 10
fqdn=`facter fqdn`
# add this "if" section
if [ ! -n "$fqdn" ] ; then
  fqdn=`facter hostname`
fi

权限修复：

chown -R puppetdb:puppetdb /etc/puppetdb/ssl

使用新的密钥库/信任库密码(相同的密码)更新/etc/puppetdb/ can .d/jetty.ini中的密码，您可以从：

cat /etc/puppetdb/ssl/puppetdb_keystore_pw.txt

重启傀儡b

service puppetdb restart

然后转到每个代理处，请求新的证书，并在主服务器上分别签名。

Answer 2

这也发生了，当您的内存设置的傀儡数据库太低。

vim /etc/default/puppetdb

编辑行

JAVA_ARGS="-Xmx192m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/puppetdb/puppetdb-oom.hprof -Djava.security.egd=file:/dev/urandom"

应该变成

JAVA_ARGS="-Xmx1024m -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/log/puppetdb/puppetdb-oom.hprof -Djava.security.egd=file:/dev/urandom"

并重新启动傀儡b

sudo service puppetdb restart

Answer 3

也有类似的问题。解决方案：

1.)删除母版2上的pe-puppetdb文件。)停止主3上的pe-puppetdb服务。)在主人上启动pe-puppetdb服务，等待30秒。