由于ssl错误，新服务器无法从Puppetmaster获取配置

Question

生产环境中的三台机器有一些硬件问题，已经退役。基础设施团队重新安装了它们，并给它们提供了相同的主机名和IP地址。其目的是在这些系统上运行木偶，这样就可以再次启用这些系统。

尝试

1)通过发出以下命令，从Puppetmaster中删除了旧的傀儡证书：

puppet cert revoke grb16.company.com
puppet cert clean grb16.company.com

2)删除旧证书后，通过从一个重新安装的节点发出以下命令，创建一个新的证书请求：

[root@grb16 ~]# puppet agent -t
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for grb16.company.com
Info: Certificate Request fingerprint (SHA256): 6F:2D:1D:71:67:18:99:86:2C:22:A1:14:80:55:34:35:FD:20:88:1F:36:ED:A7:7B:2A:12:09:4D:F8:EC:BF:6D
Exiting; no certificate found and waitforcert is disabled
[root@grb16 ~]#

3)一旦证书请求在Puppetmaster上可见，就会发出以下命令来签署证书请求：

[root@foreman ~]# puppet cert sign grb16.company.com
Notice: Signed certificate request for grb16.company.com
Notice: Removing file Puppet::SSL::CertificateRequest grb16.company.com at '/var/lib/puppet/ssl/ca/requests/grb16.company.com.pem'
[root@foreman ~]# 

问题

一旦签署了证书请求并启动了一个木偶运行，就会引发以下错误：

[root@grb16 ~]# puppet agent -t
Info: Caching certificate for grb16.company.com
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Exiting; failed to retrieve certificate and waitforcert is disabled
[root@grb16 ~]# 

第二次运行木偶将导致：

[root@grb16 ~]# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://foreman.company.com/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://foreman.company.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: foreman.company.com]
[root@grb16 ~]# 

分析

为了解决这一问题，对错误消息进行了调查，看起来问题是与SSL或木偶相关的。这些包中可能有一个安装错误，或者在重新安装的节点上安装了错误的版本。

木偶

[root@grb16 ~]# yum list installed |grep puppet
facter.x86_64          1:2.3.0-1.el6    @puppetlabs_6_products                  
hiera.noarch           1.3.4-1.el6      @puppetlabs_6_products                  
puppet.noarch          3.7.3-1.el6      @puppetlabs_6_products                  
puppetlabs-release.noarch
                       6-11             @puppetlabs_6_products                  
ruby-augeas.x86_64     0.4.1-3.el6      @puppetlabs_6_deps                      
ruby-shadow.x86_64     1:2.2.0-2.el6    @puppetlabs_6_deps                      
rubygem-json.x86_64    1.5.5-3.el6      @puppetlabs_6_deps  

SSL

[root@grb16 ~]# yum list installed |grep ssl
nss_compat_ossl.x86_64 0.9.6-1.el6      @anaconda-CentOS-201410241409.x86_64/6.6
openssl.x86_64         1.0.1e-30.el6_6.4
openssl-devel.x86_64   1.0.1e-30.el6_6.4
[root@grb16 ~]# 

在安装在不同服务器上的SSL和Puppet包之间没有发现任何差异。尚未退役或重新安装的系统仍然能够运行木偶。此问题仅限于重新安装的服务器。请注意，未在其他两个重新安装的服务器上运行Puppet。造成这一问题的原因是什么，如何解决？

Answer 1

简明答案

问题CRL is not yet valid for表示“傀儡代理”与“傀儡主机”之间的时间不同步.。同步时间(NTP)。从“傀儡代理”和“木偶主”中移除证书，并在代理上运行“木偶”。

综合答案

CRL is not yet valid for驻留在以下代码段中。

下面是测试代码片段描述了造成此问题的原因：

it 'includes the CRL issuer in the verify error message' do
  crl = OpenSSL::X509::CRL.new
  crl.issuer = OpenSSL::X509::Name.new([['CN','Puppet CA: puppetmaster.example.com']])
  crl.last_update = Time.now + 24 * 60 * 60
  ssl_context.stubs(:current_crl).returns(crl)

  subject.call(false, ssl_context)
  expect(subject.verify_errors).to eq(["CRL is not yet valid for /CN=Puppet CA: puppetmaster.example.com"])
end

ssl_context

let(:ssl_context) do
  mock('OpenSSL::X509::StoreContext')
end

主题

subject do
  described_class.new(ssl_configuration,
  ssl_host)
end

代码包括来自OpenSSL：：X 509：：CRL类的片段。

issuer=(p1)

               static VALUE
ossl_x509crl_set_issuer(VALUE self, VALUE issuer)
{
    X509_CRL *crl;

    GetX509CRL(self, crl);

    if (!X509_CRL_set_issuer_name(crl, GetX509NamePtr(issuer))) { /* DUPs name */
        ossl_raise(eX509CRLError, NULL);
    }
    return issuer;
}

last_update=(p1)

               static VALUE
ossl_x509crl_set_last_update(VALUE self, VALUE time)
{
    X509_CRL *crl;
    time_t sec;

    sec = time_to_time_t(time);
    GetX509CRL(self, crl);
    if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) {
        ossl_raise(eX509CRLError, NULL);
    }

    return time;
}

last_updated时间将是当前时间加上额外的一天，并将传递给调用驻留在默认设置_验证器类中的调用函数的subject函数。

class Puppet::SSL::Validator::DefaultValidator #< class Puppet::SSL::Validator
  attr_reader :peer_certs
  attr_reader :verify_errors
  attr_reader :ssl_configuration

  FIVE_MINUTES_AS_SECONDS = 5 * 60

  def initialize(
    ssl_configuration = Puppet::SSL::Configuration.new(
    Puppet[:localcacert], {
      :ca_auth_file => Puppet[:ssl_client_ca_auth]
    }),

    ssl_host = Puppet::SSL::Host.localhost)
    reset!
    @ssl_configuration = ssl_configuration
    @ssl_host = ssl_host
  end

  def call(preverify_ok, store_context)
    if preverify_ok
      ...
    else
      ...
      crl = store_context.current_crl
      if crl
        if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS
          ...
        else
          @verify_errors << "#{error_string} for #{crl.issuer}"
        end
        ...
      end
    end
  end

如果preverify_ok为false，则适用else子句。因为if crl.last_update && crl.last_update < Time.now + FIVE_MINUTES_AS_SECONDS的结果是假的，因为时间被另加了一天，所以else语句将适用。@verify_errors << "#{error_string} for #{crl.issuer}"的评价结果为CRL is not yet valid for /CN=Puppet CA: puppetmaster.example.com。

为了解决这一问题：

1. 同步木偶代理和傀儡管理员之间的时间。NTP服务器在两个节点上运行(很好)吗？
2. 从代理中删除或重命名完整的ssl文件夹(/var/lib/lib/ssl)。
3. 通过发出sudo puppet cert clean <fqdn-puppet-agent>从主服务器上撤消证书
4. 如果自动签名被禁用，请在证书上签名
5. 在代理人身上操纵傀儡

总之，“木偶特工”和“木偶主人”的时间应该一直同步.超过5分钟的最大允许偏差将导致问题。

Answer 2

也遇到了同样的问题。

我们的傀儡设置是使用GitHub进行版本控制的，所以每次我们提供一个新的傀儡管理员时，我们都会遇到证书问题。通常情况下，puppet ca --clean --all可以工作，但我们发现以下内容更可靠：

rm -rf $(puppet master --configprint ssldir)