Issue #20742 has been updated by Charlie Sharpsteen. Status changed from Needs More Information to Accepted
Mike Szymanski wrote: > Those lines fixed the issue. Did I miss those in the docs somewhere? Nope, I had those in my puppet.conf for some reason and couldn't re-produce your issue until I pulled them. In a nutshell, what is happening here is that we use the `ssl_client_header` setting to pull a component out of the Rack::Request environment. By default we pull `HTTP_X_CLIENT_DN` which can have the value of "(null)". Before commit [064f542](https://github.com/puppetlabs/puppet/commit/064f542) there was a regex that performed a quick sanity check on this component before subjecting it to further processing. After that commit, we lost the check and so the "(null)" passes through and turns into a `nil`. In contrast, setting `ssl_client_header = SSL_CLIENT_S_DN` causes the Rack handler to try and pull the `SSL_CLIENT_S_DN` header from the environment, which returns `nil` and thus the processing is skipped up front. I don't think side-stepping the problem in that way is the best solution but we are definitely working on a proper fix. Thanks again for reporting this! ---------------------------------------- Bug #20742: unauthenticated clients unable to communicate with puppet master (running in passenger) https://projects.puppetlabs.com/issues/20742#change-91112 * Author: Mike Szymanski * Status: Accepted * Priority: Normal * Assignee: Charlie Sharpsteen * Category: * Target version: * Affected Puppet version: 3.2.0-rc2 * Keywords: * Branch: ---------------------------------------- I am having an issue adding new clients to puppet. The master is not accepting connections from unauthenticated clients, even though my auth.conf that worked with v3.1.1 has not changed. If I test ssl via curl -k, the puppet master returns "can't convert nil into String" to the client. The http log on the master shows a 400 return code. Also note, I'm using passenger & httpd with my puppet master. If I do the certificate generation & signing manually and copy back to the client, it can communicate fine with the master. Here is a snippet of my auth.conf: (I originally had "auth any", but changed to "auth no" to see if it made any difference--which it didn't) <pre> ### Unauthenticated ACLs, for clients without valid certificates; authenticated ### clients can also access these paths, though they rarely need to. # allow access to the CA certificate; unauthenticated nodes need this # in order to validate the puppet master's certificate path /certificate/ca auth no method find allow * # allow nodes to retrieve the certificate they requested earlier path /certificate/ auth no method find allow * # allow nodes to request a new certificate path /certificate_request auth no method find, save allow * </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
