with recent versions of puppet, when you clean a certificate, you also revoke it, you apache is simply not configured to look at the CRL (certificate revocation list).
Ohad On Wed, Dec 22, 2010 at 11:43 PM, Dan Trainor <[email protected]> wrote: > Hi - > > I read up on this subject quite a bit, and was able to find a few > posts on the mailing list, even found a wiki article. Unfortunately > it doesn't quite address what I'm looking to do. > > From what I understand, Puppet's client/server authentication system - > using SSL - is portable. I believe that I should be able to use the > same SSL certificates and keys (and even the same CA) with regard to > other SSL/TLS connections, as well. > > In particular, I want to use Apache's 'SSLVerifyClient require' > option, but not in my Mongrel setup, but for an entirely different SSL > site which also happens to be on the same machine as my Puppet master. > Assuming both my Puppet master and my Puppet agent represent the > server and client in this connection, respectively, then I believe I > should be able to use that already-established and signed and trusted > SSL relationship to implement this additional site. I do expect > problems with CN mismatches, but I can live with that. > > I've gone through the process of configuring an additional SSL site in > Apache to use 'SSLVerifyClient require', and mimicked a request from a > Puppet node (previously signed, enrolled, and working) using curl. I > used the Puppet generated cert and key from this Puppet node in the > argument, looking something like this: > > curl -k -v --cert certs/job01.vmserver02.dev.az.domain.local.pem --key > private_keys/job01.vmserver02.dev.az.toolbox.local.pem > https://10.1.0.165/test.htm > > I got a little smile that the request did in fact work without error > (save having the client use the CA certificiate - I'll re-visit that > later), but also concerned because I understand this should not have > worked. I ran puppetca --clean against this particular Puppet node's > certificate, and expected it to just plain not work any more, and > thereby updating my Puppet master's key store. > > Here's that Apache configuration I was talking about: > > <VirtualHost 10.1.0.165:443> > SSLEngine On > SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA > SSLCertificateFile > /var/lib/puppet/ssl/certs/puppet01.ops.az.domain.local.pem > SSLCertificateKeyFile > /var/lib/puppet/ssl/private_keys/puppet01.ops.az.domain.local.pem > SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem > SSLVerifyClient require > SSLVerifyDepth 1 > SSLOptions +StdEnvVars > ErrorLog /var/log/httpd/ssltest-error.log > CustomLog /var/log/httpd/ssltest-access.log combined > </VirtualHost> > > Pretty simple, right? Am I doing this properly? > > A little background: I am in the process of building AMIs for > Amazon's EC2, which will eventually have VPN connections back to a > secure scope/pool on our internal network. I do not want to > distribute the VPN profiles, complete with usernames and passwords, > with the AMIs. I want Puppet to run once, generate those certs on > both the agent and master, and make those available for a curl request > in my EC2 bootstrap script to download this VPN profile in a secure > manner. I only want a signed client accessing this VPN profile (pcf > file) which is going to be live on the Internet (protected, of course, > by client certificate verification). > > I'm not sure why this doesn't work as I expect it to. I was hoping to > get some feedback from someone who has gone down this route before, as > this is all pretty new to me. If nothing more, I'm hoping to be able > to get this working in this situation, so that I can reuse this > functionality for other projects. If Puppet is already doing a good > job of maintaining a nice keystore, why not use it for other things, > too? > > Thanks! > -dant > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<puppet-users%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
