On Mon, Sep 27, 2010 at 1:30 AM, Nicolas Bourbaki
<[email protected]> wrote:
> Hi,
>
> I am using puppet with an external PKI and I recently ugraded the
> configuration to use passenger instead of webrick. However since I made that
> change, I discovered that the certificates I am using are not working
> anymore. Everything ran fine using webrick but as the number of managed node
> increased I wanted to switch to a more reliable web server. The problem is
> that passenger expects node certificate to have a DN field such as
> "/CN=mynode.example.com". If you use a certificate such as
> "/CN=mynode.example.com/O=MyOrg/L=Anywhere", passenger extracts the CN using
> a regex which only look for a "CN" pattern and outputs everything else. If
> think this is wrong as the required info is the node's fqdn. I got it to
> work by changing the regex in the rack code, but I think passenger should
> either be modified to include a better regex or be able to retrieve other
> apache environment variables (see below).
What I'm understanding is that rack has an overly inclusive regex for
getting the CN name. I'm not sure yet how this is something that we
could fix in Puppet code. If this is an issue with passenger or rack
code it may be something that needs to be reported to those projects.
> In my opinion, instead of passing SSL_CLIENT_S_DN to the puppetmaster, we
> should use the SSL_CLIENT_S_DN_CN variable which is extracted for us by
> apache. When trying to do this, puppetmaster recieve a fqdn such as
> "invalid.example.com" which makes no sense.
Where are we passing SSL_CLIENT_S_DN to the puppetmaster? Can you
point to the code in Puppet that's having this problem or elaborate?
A couple of guesses as to what you might be getting at are:
1. The documentation in ext/rack/README that refers to
"ssl_client_header = SSL_CLIENT_S_DN" should be changed to
SSL_CLIENT_S_DN_CN" ?
2. Possibly some regex in Puppet code? But it looks like the place I
can imagine you referring to in Puppet code has a regex that wouldn't
cause the problem you describe.
lib/puppet/network/http/rack/rest.rb
# if we find SSL info in the headers, use them to get a hostname.
# try this with :ssl_client_header, which defaults should work for
# Apache with StdEnvVars.
if dn = request.env[Puppet[:ssl_client_header]] and dn_matchdata =
dn.match(/^.*?CN\s*=\s*(.*)/)
I'm not very strong on my understanding of setting up an external PKI
for Puppet, so I'm not clear on what you're asking for. More details
please.
Matt
--
You received this message because you are subscribed to the Google Groups
"Puppet Developers" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-dev?hl=en.
