Hi - I read up on this subject quite a bit, and was able to find a few posts on the mailing list, even found a wiki article. Unfortunately it doesn't quite address what I'm looking to do.
>From what I understand, Puppet's client/server authentication system - using SSL - is portable. I believe that I should be able to use the same SSL certificates and keys (and even the same CA) with regard to other SSL/TLS connections, as well. In particular, I want to use Apache's 'SSLVerifyClient require' option, but not in my Mongrel setup, but for an entirely different SSL site which also happens to be on the same machine as my Puppet master. Assuming both my Puppet master and my Puppet agent represent the server and client in this connection, respectively, then I believe I should be able to use that already-established and signed and trusted SSL relationship to implement this additional site. I do expect problems with CN mismatches, but I can live with that. I've gone through the process of configuring an additional SSL site in Apache to use 'SSLVerifyClient require', and mimicked a request from a Puppet node (previously signed, enrolled, and working) using curl. I used the Puppet generated cert and key from this Puppet node in the argument, looking something like this: curl -k -v --cert certs/job01.vmserver02.dev.az.domain.local.pem --key private_keys/job01.vmserver02.dev.az.toolbox.local.pem https://10.1.0.165/test.htm I got a little smile that the request did in fact work without error (save having the client use the CA certificiate - I'll re-visit that later), but also concerned because I understand this should not have worked. I ran puppetca --clean against this particular Puppet node's certificate, and expected it to just plain not work any more, and thereby updating my Puppet master's key store. Here's that Apache configuration I was talking about: <VirtualHost 10.1.0.165:443> SSLEngine On SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLCertificateFile /var/lib/puppet/ssl/certs/puppet01.ops.az.domain.local.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet01.ops.az.domain.local.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StdEnvVars ErrorLog /var/log/httpd/ssltest-error.log CustomLog /var/log/httpd/ssltest-access.log combined </VirtualHost> Pretty simple, right? Am I doing this properly? A little background: I am in the process of building AMIs for Amazon's EC2, which will eventually have VPN connections back to a secure scope/pool on our internal network. I do not want to distribute the VPN profiles, complete with usernames and passwords, with the AMIs. I want Puppet to run once, generate those certs on both the agent and master, and make those available for a curl request in my EC2 bootstrap script to download this VPN profile in a secure manner. I only want a signed client accessing this VPN profile (pcf file) which is going to be live on the Internet (protected, of course, by client certificate verification). I'm not sure why this doesn't work as I expect it to. I was hoping to get some feedback from someone who has gone down this route before, as this is all pretty new to me. If nothing more, I'm hoping to be able to get this working in this situation, so that I can reuse this functionality for other projects. If Puppet is already doing a good job of maintaining a nice keystore, why not use it for other things, too? Thanks! -dant -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
