官术网_书友最值得收藏!

The Puppet CA

Among the most frustrating issues, especially for new users, are problems with the agent's SSL handshake. Such errors are especially troublesome because Puppet cannot always offer very helpful analysis in its logs - the problems occur in the SSL library functions, and the application cannot examine the circumstances.

The online documentation at Puppet Labs has a troubleshooting section that also has some advice concerning SSL-related issues at https://docs.puppetlabs.com/guides/troubleshooting.html.

Consider the following output for the --test command:

root@agent# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: puppet.example.net]

The agent opines that the CRL it receives from the master is not yet valid. Errors such as these can happen whenever the agent's clock gets reset to a very early date. This can also result from a slight clock skew, when the CRL has recently been updated through a revocation action on the master. If the system clock on the agent machine returns a time far in the future, it will consider certificates to be expired.

These clock-related issues are best avoided by running an ntp service on all Puppet agents and masters.

Errors will generally result if the data in the agent's $ssldir becomes inconsistent. This can happen when the agent interacts with an alternate master (a testing instance, for example). The first piece of advice you will most likely receive when asking the community what to do about such problems is to create a new agent certificate from scratch. This works as described in the The agent's life cycle section:

  • Remove all the SSL data from the agent machine
  • Revoke and remove the certificate from the master using puppet cert clean
  • Request and sign a new certificate
Before you start the recovery procedure, make sure that you are logged in to the afflicted agent machine and not the master. Losing the master's SSL data will make it necessary to recreate your complete SSL infrastructure.

This approach will indeed remedy most issues. Be careful not to leave any old files in the relevant location on the agent machine. If the problems persist, a more involved solution is required. The openssl command-line tool is helpful to analyze the certificates and related files. The details of such an analysis are beyond the scope of this book, though.

主站蜘蛛池模板: 双城市| 平山县| 宁城县| 扶沟县| 突泉县| 石楼县| 永福县| 嘉荫县| 娄烦县| 文化| 桐梓县| 东乡县| 江西省| 遵义县| 长沙县| 扶绥县| 靖安县| 都兰县| 绥阳县| 报价| 陈巴尔虎旗| 宁蒗| 成都市| 和林格尔县| 丽水市| 澜沧| 锦屏县| 观塘区| 无极县| 洪雅县| 蒙自县| 资阳市| 留坝县| 庆城县| 象州县| 措美县| 甘孜县| 大丰市| 温泉县| 鲁甸县| 滨州市|