Cockpit: O cockpit falhou ao iniciar com erro ao carregar certificados

Criado em 21 mai. 2020 · 5Comentários · Fonte: cockpit-project/cockpit

Versão do cockpit: 251-1 amd64
SO: Ubuntu 20.20 Linux gen8 5.4.0-26-generic #30-Ubuntu SMP Mon Apr 20 16:58:30 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Eu instalei o cockpit no Gen8 desde que um novo Ubuntu 20.20 instalado, e o cockpit foi iniciado com um erro de SSL. Tentei reinstalar o cockpit para corrigir esse erro de certificado inválido. Mas depois disso, não posso mais iniciar o cockpit com sudo systemctl start cockpit .

$ sudo systemctl status cockpit

● cockpit.service - Cockpit Web Service
     Loaded: loaded (/lib/systemd/system/cockpit.service; static; vendor preset: enabled)
     Active: failed (Result: exit-code) since Thu 2020-05-21 04:06:34 UTC; 7min ago
TriggeredBy: ● cockpit.socket
       Docs: man:cockpit-ws(8)
    Process: 563960 ExecStartPre=/usr/sbin/remotectl certificate --ensure --user=root --group=cockpit-ws --selinux-type= (code=exited, status=0/SUCCESS)
    Process: 563961 ExecStart=/usr/lib/cockpit/cockpit-tls (code=exited, status=1/FAILURE)
   Main PID: 563961 (code=exited, status=1/FAILURE)

May 21 04:06:34 gen8 systemd[1]: cockpit.service: Main process exited, code=exited, status=1/FAILURE
May 21 04:06:34 gen8 systemd[1]: cockpit.service: Failed with result 'exit-code'.
May 21 04:06:34 gen8 systemd[1]: Starting Cockpit Web Service...
May 21 04:06:34 gen8 systemd[1]: Started Cockpit Web Service.
May 21 04:06:34 gen8 cockpit-tls[563961]: cockpit-tls: Could not locate server certificate: Error loading certificates from /etc/cockpit/ws-certs.d: Permission denied
May 21 04:06:34 gen8 systemd[1]: cockpit.service: Main process exited, code=exited, status=1/FAILURE
May 21 04:06:34 gen8 systemd[1]: cockpit.service: Failed with result 'exit-code'.
May 21 04:06:34 gen8 systemd[1]: cockpit.service: Start request repeated too quickly.
May 21 04:06:34 gen8 systemd[1]: cockpit.service: Failed with result 'exit-code'.
May 21 04:06:34 gen8 systemd[1]: Failed to start Cockpit Web Service.

$ journalctl -u cockpit

-- Logs begin at Mon 2020-05-04 05:17:32 UTC, end at Thu 2020-05-21 04:24:00 UTC. --
May 15 14:09:28 gen8 systemd[1]: Starting Cockpit Web Service...
May 15 14:09:28 gen8 remotectl[527778]: Generating temporary certificate using: sscg --quiet --lifetime 3650 --key-strength 2048 --cert-key-file /etc/cockpit/ws-certs.d/0-self-signed.cert --cert-file /etc/cockpit/ws-certs.d/0-self-signed>
May 15 14:09:28 gen8 remotectl[527778]: Error generating temporary dummy cert using sscg, falling back to openssl
May 15 14:09:28 gen8 remotectl[527778]: Generating temporary certificate using: openssl req -x509 -days 36500 -newkey rsa:2048 -keyout /etc/cockpit/ws-certs.d/0-self-signed.347AK0.tmp -keyform PEM -nodes -out /etc/cockpit/ws-certs.d/0-se>
May 15 14:09:28 gen8 systemd[1]: Started Cockpit Web Service.
May 15 14:10:58 gen8 systemd[1]: cockpit.service: Succeeded.
May 15 14:19:34 gen8 systemd[1]: Starting Cockpit Web Service...
May 15 14:19:34 gen8 systemd[1]: Started Cockpit Web Service.
May 15 14:19:57 gen8 systemd[1]: Stopping Cockpit Web Service...
May 15 14:19:57 gen8 systemd[1]: cockpit.service: Succeeded.
May 15 14:19:57 gen8 systemd[1]: Stopped Cockpit Web Service.
May 15 14:23:23 gen8 systemd[1]: Starting Cockpit Web Service...
May 15 14:23:23 gen8 systemd[1]: Started Cockpit Web Service.
May 15 14:24:53 gen8 systemd[1]: cockpit.service: Succeeded.
May 15 14:24:56 gen8 systemd[1]: Starting Cockpit Web Service...
May 15 14:24:56 gen8 systemd[1]: Started Cockpit Web Service.
May 15 14:25:15 gen8 cockpit-tls[529527]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:25:46 gen8 cockpit-tls[529527]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:25:46 gen8 cockpit-tls[529527]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:27:16 gen8 systemd[1]: cockpit.service: Succeeded.
May 15 14:38:02 gen8 systemd[1]: Starting Cockpit Web Service...
May 15 14:38:02 gen8 systemd[1]: Started Cockpit Web Service.
May 15 14:38:02 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:38:03 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:38:03 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:38:03 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:38:11 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:38:11 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:38:11 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:39:24 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: Decryption has failed.
May 15 14:39:28 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: Decryption has failed.
May 15 14:39:32 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: Decryption has failed.
May 15 14:39:37 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:39:37 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:40:40 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:40:40 gen8 cockpit-tls[530315]: cockpit-tls: gnutls_handshake failed: A TLS fatal alert has been received.
May 15 14:42:10 gen8 systemd[1]: cockpit.service: Succeeded.
May 20 07:34:15 gen8 systemd[1]: Starting Cockpit Web Service...
May 20 07:34:15 gen8 systemd[1]: Started Cockpit Web Service.
May 20 07:35:53 gen8 systemd[1]: cockpit.service: Succeeded.
May 20 07:40:42 gen8 systemd[1]: Starting Cockpit Web Service...
May 20 07:40:42 gen8 systemd[1]: Started Cockpit Web Service.
May 20 07:42:12 gen8 systemd[1]: cockpit.service: Succeeded.
May 20 07:45:38 gen8 systemd[1]: Starting Cockpit Web Service...
May 20 07:45:38 gen8 systemd[1]: Started Cockpit Web Service.
May 20 07:47:39 gen8 systemd[1]: cockpit.service: Succeeded.
May 20 08:03:05 gen8 systemd[1]: Starting Cockpit Web Service...
May 20 08:03:05 gen8 systemd[1]: Started Cockpit Web Service.
May 20 08:03:12 gen8 cockpit-tls[559075]: cockpit-tls: gnutls_handshake failed: Decryption has failed.
May 20 08:03:42 gen8 cockpit-tls[559075]: cockpit-tls: gnutls_handshake failed: Decryption has failed.
May 20 08:05:12 gen8 systemd[1]: cockpit.service: Succeeded.
May 20 08:09:23 gen8 systemd[1]: Starting Cockpit Web Service...
May 20 08:09:23 gen8 systemd[1]: Started Cockpit Web Service.
May 20 08:10:53 gen8 systemd[1]: cockpit.service: Succeeded.

$ sudo ls -al /etc/cockpit
drwx------   2 root root 4096 May 21 04:04 ws-certs.d
$ sudo ls -al /etc/cockpit/ws-certs.d
-rw-r----- 1 root cockpit-ws 2853 May 21 04:04 0-self-signed.cert

Acho que há algo estranho com minha pasta / etc / cockpit, mas não tenho ideia do que fazer com isso.

question

Fonte

kxxoling

Comentários muito úteis

@kxxoling : É um indica , é autoassinado. Portanto, o curl (o mesmo que o seu navegador) não o aceita por padrão. Você pode aceitá-lo de qualquer maneira ( curl -k ou clicar no botão no navegador) ou, melhor, adicionar o seu próprio .

martinpitt em 5 jun. 2020

🎉1 👍1

Todos 5 comentários

@kxxoling : Certo, a pasta /etc/cockpit/ws-certs.d/ está acessível apenas para o root. Deve ser 0755. Isso cheira a algum problema de umask - você tem um muito restrito para root, como 077?

martinpitt em 21 mai. 2020

@martinpitt Tentei reinstalar de forma limpa a versão mais recente no apt, e descobri que haveria uma pasta machines.d em /etc/cockpit ao lado de ws-certs.d . E o cockpit-ws começa bem agora, exceto o problema do https:

$ curl https://localhost:9090
curl: (60) SSL certificate problem: self signed certificate

0-self-signed.cert um certificado legal? Ou devo manter o certificado sozinho?

kxxoling em 2 jun. 2020

martinpitt em 5 jun. 2020

🎉1 👍1

@martinpitt entendi. Vou tentar usar um assinado Let's Encrypt em vez disso. Isso pode resolver o problema do certificado.

O erro de início do serviço pode ser causado por mim por acidente, mas uma reinstalação completa pode resolvê-lo. Portanto, encerrarei este problema.

kxxoling em 9 jun. 2020

Obrigado pela ajuda! @martinpitt : D

kxxoling em 9 jun. 2020

Esta página foi útil?

0 / 5 - 0 avaliações

Questões relacionadas

serviços: usar apenas Enable como string é problemático para administradores não Linux

andreasn · 6Comentários

não é possível encontrar o cockpit.conf

cedroid09 · 5Comentários

Proxy sobre Apache dando páginas em branco

daniel-wtd · 8Comentários

IP da máquina virtual listado como desconhecido quando a VM conectada via Bridge

akinomeroglu · 8Comentários

Problemas após construir o Cockpit 226 a partir da fonte e rodar o CentOS 8.2.2004

digitalformula · 3Comentários