[Puppet - Bug #16769] Apache "SSLOptions +ExportCertData" causes "header too long" error

[tickets]

Issue #16769 has been updated by Jeremy MAURO.


Hi,

Since the upgrade from puppet 2.7.18 to 3.0.0, I am using puppet+passenger on 
debian squeeze with the package from puppetlabs:
<pre><code>
# dpkg -l 'puppet*' |grep ii
ii  puppet                                                 3.0.0-1puppetlabs1   
        Centralized configuration management - agent startup and compatibility 
scripts
ii  puppet-common                                          3.0.0-1puppetlabs1   
        Centralized configuration management
ii  puppet-dashboard                                       1.2.11-1puppetlabs1  
        Dashboard for Puppet
ii  puppetdb                                               1.0.0-1puppetlabs1   
        PuppetDB Centralized Storage.
ii  puppetdb-terminus                                      1.0.0-1puppetlabs1   
        Connect Puppet to PuppetDB by setting up a terminus for PuppetDB.
ii  puppetmaster                                           3.0.0-1puppetlabs1   
        Centralized configuration management - master startup and compatibility 
scripts
ii  puppetmaster-common                                    3.0.0-1puppetlabs1   
        Puppet master common scripts
</code></pre>

Currently using the following apache configuration file:
<pre><code>
Listen 8140
<VirtualHost *:8140>
        ServerName puppetmaster.fqdn

        ErrorLog /var/log/apache2/puppetmaster_error.log
        LogLevel warn
        SetEnvIf Remote_Addr "::1" dontlog
        CustomLog /var/log/apache2/puppetmaster_access.log combined env=!dontlog

        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile      
/data/local/puppet/ssl/certs/puppetmaster.fqdn.pem
        SSLCertificateKeyFile   
/data/local/puppet/ssl/private_keys/puppetmaster.fqdn.pem
        SSLCertificateChainFile /data/local/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /data/local/puppet/ssl/ca/ca_crt.pem

        ## CRL checking should be enabled; if you have problems with
        ## Apache complaining about the CRL, disable the next line
        SSLCARevocationFile     /data/local/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient         optional
        SSLVerifyDepth          1
        SSLOptions              +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy
        # RequestHeader unset X-Forwarded-For

        ## The following client headers allow the same configuration
        ## to work with Pound.
        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        RackAutoDetect On

        DocumentRoot /var/www/puppetmaster/public/
        RackBaseURI /
        <Directory /var/www/puppetmaster/public/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>
</code></pre>

And the following config.ru:
<pre><code>

# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.

# if puppet is not in your RUBYLIB:
# $LOAD_PATH.unshift('/opt/puppet/lib')

$0 = "master"

# if you want debugging:
# ARGV << "--debug"

ARGV << "--rack"

# Rack applications typically don't start as root.  Set --confdir to prevent
# reading configuration from ~/.puppet/puppet.conf
ARGV << "--confdir" << "/etc/puppet" << "--config=/etc/puppet/conf/puppet.conf"

# NOTE: it's unfortunate that we have to use the "CommandLine" class
#  here to launch the app, but it contains some initialization logic
#  (such as triggering the parsing of the config file) that is very
#  important.  We should do something less nasty here when we've
#  gotten our API and settings initialization logic cleaned up.
#
# Also note that the "$0 = master" line up near the top here is
#  the magic that allows the CommandLine class to know that it's
#  supposed to be running master.
#
# --cprice 2012-05-22

require 'puppet/util/command_line'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Util::CommandLine.new.execute
</code></pre>


I having issue when trying to get new certificat:
<pre><code>
info: Creating a new SSL key for linux-install.fqdn
err: Could not request certificate: Error 400 on SERVER: header too long
Exiting; failed to retrieve certificate and waitforcert is disabled
</code></pre>
----------------------------------------
Bug #16769: Apache "SSLOptions +ExportCertData" causes "header too long" error
https://projects.puppetlabs.com/issues/16769#change-72508

Author: eric sorenson
Status: Needs More Information
Priority: Normal
Assignee: 
Category: 
Target version: 3.0.1
Affected Puppet version: 3.0.0
Keywords: ssl
Branch: 


Reported on the mailing list at 
https://groups.google.com/forum/?fromgroups=#!topic/puppet-users/tpKvbor15iY

This was added as part of #7962. 


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.