- Puppet 5 Essentials(Third Edition)
- Martin Alfke Felix Frank
- 400字
- 2021-07-02 18:22:26
The Puppet CA
Among the most frustrating issues, especially for new users, are problems with the agent's SSL handshake. Such errors are especially troublesome because Puppet cannot always offer very helpful analysis in its logs - the problems occur in the SSL library functions, and the application cannot examine the circumstances.
Consider the following output for the --test command:
root@agent# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [CRL is not yet valid for /CN=Puppet CA: puppet.example.net]
The agent opines that the CRL it receives from the master is not yet valid. Errors such as these can happen whenever the agent's clock gets reset to a very early date. This can also result from a slight clock skew, when the CRL has recently been updated through a revocation action on the master. If the system clock on the agent machine returns a time far in the future, it will consider certificates to be expired.
These clock-related issues are best avoided by running an ntp service on all Puppet agents and masters.
Errors will generally result if the data in the agent's $ssldir becomes inconsistent. This can happen when the agent interacts with an alternate master (a testing instance, for example). The first piece of advice you will most likely receive when asking the community what to do about such problems is to create a new agent certificate from scratch. This works as described in the The agent's life cycle section:
- Remove all the SSL data from the agent machine
- Revoke and remove the certificate from the master using puppet cert clean
- Request and sign a new certificate
This approach will indeed remedy most issues. Be careful not to leave any old files in the relevant location on the agent machine. If the problems persist, a more involved solution is required. The openssl command-line tool is helpful to analyze the certificates and related files. The details of such an analysis are beyond the scope of this book, though.
- WildFly:New Features
- Node.js Design Patterns
- 薛定宇教授大講堂(卷Ⅳ):MATLAB最優(yōu)化計(jì)算
- MariaDB High Performance
- Windows Server 2012 Unified Remote Access Planning and Deployment
- 游戲程序設(shè)計(jì)教程
- NGINX Cookbook
- Kotlin極簡(jiǎn)教程
- 網(wǎng)絡(luò)數(shù)據(jù)采集技術(shù):Java網(wǎng)絡(luò)爬蟲(chóng)實(shí)戰(zhàn)
- Python趣味編程與精彩實(shí)例
- ABAQUS6.14中文版有限元分析與實(shí)例詳解
- Unity 5 Game Optimization
- Python GUI設(shè)計(jì)tkinter菜鳥(niǎo)編程(增強(qiáng)版)
- LabVIEW案例實(shí)戰(zhàn)
- JavaScript+jQuery交互式Web前端開(kāi)發(fā)(第2版)