[linux tips] puppet client ssl 证书过期

问题:

[root@control-01 .ssh]# puppet agent -tv
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL has expired for /CN=foreman.abc.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL has expired for /CN=foreman.abc.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://foreman.abc.com/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL has expired for /CN=foreman.abc.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL has expired for /CN=foreman.abc.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://foreman.abc.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL has expired for /CN=foreman.abc.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL has expired for /CN=foreman.abc.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL has expired for /CN=foreman.abc.com]

解决:

[root@control-01 .ssh]# cat /etc/puppet/puppet.conf 

[main]
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl

[agent]
pluginsync      = true
report          = true
ignoreschedules = true
daemon          = false
ca_server       = foreman.abc.com
certname        = control-01.abc.com
environment     = stable
server          = foreman.abc.com

[root@control-01 .ssh]# cd /var/lib/puppet/
[root@control-01 puppet]# mv ssl ssl.bak
[root@control-01 puppet]# puppet agent --test
Info: Creating a new SSL key for control-01.abc.com
Info: Caching certificate for ca
Info: Caching certificate for control-01.abc.com
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: 7D:D8:2C:03:20:EB:XXXXX:4B:84
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
  puppet cert clean control-01.abc.com
On the agent:
  1a. On most platforms: find /var/lib/puppet/ssl -name control-01.abc.com.pem -delete
  1b. On Windows: del "/var/lib/puppet/ssl/control-01.abc.com.pem" /f
  2. puppet agent -t

根据最后提示来在master和client上执行命令

上一篇:java-在Android应用程序中使用个人证书


下一篇:java-如何以编程方式知道应用程序是否已使用调试或导出证书签名?