Issue #16769 has been updated by Steven Lindberg. Assignee changed from Steven Lindberg to eric sorenson
Ah bummer... [I didn't think adding this option would have a significant impact](https://github.com/puppetlabs/puppet/pull/1074#issuecomment-8356458). I never came across this issue on my development box: Ubuntu 12.04 (uname -rm: 3.2.0-30-generic x86_64) apache v2.2.22 ruby v1.8.7-p370 passenger v3.0.17 rack v1.4.1 My only guess is that a having more than just one cert in any certificate chain pushes it over that mysterious hard limit, although it doesn't look like Jeremy is doing anything fancy certificate-wise... I would have guessed it has to do with using a recent version of passenger, but Chris is using the same version as I was. In regards to extracting only the 'ValidityPeriod', looks like the [`SSL_CLIENT_V_END`](http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#envvars) var will give just the client certificate's expiration date without requiring the `+ExportCertData` option. [`Puppet::Network::HTTP::Handler`](https://github.com/puppetlabs/puppet/blob/339ed9ec6fa7bdc37f4bcf0fb8e4a533badf746a/lib/puppet/network/http/handler.rb#L223) will need to get updated to provide just that information, and the [WEBRick handler](https://github.com/puppetlabs/puppet/blob/339ed9ec6fa7bdc37f4bcf0fb8e4a533badf746a/lib/puppet/network/http/webrick/rest.rb#L47) as well. The [`warn_if_near_expiration()`](https://github.com/puppetlabs/puppet/blob/339ed9ec6fa7bdc37f4bcf0fb8e4a533badf746a/lib/puppet/network/authentication.rb#L12) function also currently expects full-fledged certificates and will need modification. However, as it stands the option is only necessary if the admin wants **agent** certificate expiration warnings to appear **in the master logs**. If omitted, master and CA cert expiration warnings will still appear in the master logs, and agent cert warnings will still appear in the agent logs, and therefore in reports. As I understood it, this covered situations where reports (and agent logs in general) were not utilized, and the puppetmaster log is the primary source of information about the status of nodes. Hopefully in larger clusters -- ones that are likely going to be using passenger -- admins can rely on reports to show the agent certificate expiration warnings (or maybe they don't even care?), and the extra `+ExportCertData` option can just be omitted. There's [a note above the config option](https://github.com/slindberg/puppet/commit/12d81c7ef97167f1831143ff0037ae9a3970960d#L0R27) in the example `apache.conf` stating what it is used for, perhaps it would be best to change the language to indicate that it is not crucial for operation? steven ---------------------------------------- Bug #16769: Apache "SSLOptions +ExportCertData" causes "header too long" error https://projects.puppetlabs.com/issues/16769#change-72977 Author: eric sorenson Status: Needs More Information Priority: Normal Assignee: eric sorenson Category: Target version: 3.0.1 Affected Puppet version: 3.0.0 Keywords: ssl Branch: Reported on the mailing list at https://groups.google.com/forum/?fromgroups=#!topic/puppet-users/tpKvbor15iY This was added as part of #7962. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
