[Puppet Users] Seperate CA's/Master behind load balancer

Fri, 16 Dec 2011 04:40:24 -0800 

Hello,

Attempting to setup a CA primary/standby as well as seperate
puppetmaster servers (all running Apache/Passenger) behind another
Apache/Passenger type load balancer.

Clients are not getting certs:-
err: Could not request certificate: Could not intern from s: nested
asn1 error

Clearly an SSL issue but not something I know a great deal about.

loadbalancer.conf

# Puppet Load Balancing Thing

<Proxy balancer://puppetmaster>
  BalancerMember http://puppetmst1:18140
  BalancerMember http://puppetmst2:18140
</Proxy>

<Proxy balancer://puppet_ca>
  # Only one member
  BalancerMember http://cahost1:18140
  # Hot Standby if the primary is offline
  BalancerMember http://cahost2:18140 status=+H
</Proxy>

Listen 8140
<VirtualHost *:8140>

  ServerName loadbalancer

  SSLEngine on
  # SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
  SSLProtocol -ALL +SSLv3 +TLSv1
  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
  # Puppet master should generate initial CA certificate.
  # ensure certs are located in etc/puppet/ssl
  SSLCertificateFile /etc/puppet/ssl/certs/loadbalancer.pem
  SSLCertificateKeyFile /etc/puppet/ssl/private_keys/loadbalancer.pem
  SSLCertificateChainFile /etc/puppet/ssl/certs/ca.pem
  SSLCACertificateFile /etc/puppet/ssl/ca/ca_crt.pem
  # CRL checking should be enabled
  # disable next line if Apache complains about CRL
  #SSLCARevocationFile /etc/puppet/ssl/ca/ca_crl.pem
  # optional to allow CSR request, required if certificates
distributed to client during provisioning.
  SSLVerifyClient optional
  SSLVerifyDepth 1
  SSLOptions +StdEnvVars
  # The following client headers record authentication information for
down stream workers.
  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
  # WARNING THIS SHOULD HAVE ACCESS CONTROL.
  # I've left it wide open for testing.
  <Location /balancer-manager>
    SetHandler balancer-manager
    Order allow,deny
    Allow from all
  </Location>

  <Location /server-status>
    SetHandler server-status
    Order allow,deny
    Allow from all
  </Location>

  # Optional status
  ProxyStatus On

  # Don't load balance requests to the status page
  ProxyPass /balancer-manager !
  ProxyPass /server-status !

  # Ordering of ProxyPass directives is important
  # Direct all Puppet Agent CA requests to a specific set of workers.
  ProxyPassMatch ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_ca/
  ProxyPassReverse ^(/.*?)/(certificate.*?)/(.*)$ balancer://puppet_ca/
  # Direct all other Puppet Agent requests to the default set of
workers.
  ProxyPass / balancer://puppetmaster/
  ProxyPassReverse / balancer://puppetmaster/

  ProxyPreserveHost On

  # Logging for this front end
  ErrorLog  /var/log/httpd/frontend_puppet_error.log
  CustomLog /var/log/httpd/frontend_puppet_access.log combined
  CustomLog /var/log/httpd/frontend_puppet_ssl_requests.log "%t %h %
{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

cahost.conf:-

Listen 18140
<VirtualHost *:18140>
  ServerName cahost1
  SSLEngine on
  SSLProtocol -ALL +SSLv3 +TLSv1
  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
  SSLCertificateFile /etc/puppet/ssl/certs/cahost1.pem
  SSLCertificateKeyFile /etc/puppet/ssl/private_keys/cahost1.pem
  SSLCertificateChainFile /etc/puppet/ssl/certs/ca.pem
  SSLCACertificateFile /etc/puppet/ssl/ca/ca_crt.pem
  # CRL checking should be enabled
  # disable next line if Apache complains about CRL
  SSLCARevocationFile /etc/puppet/ssl/ca/ca_crl.pem
  # optional to allow CSR request, required if certificates
distributed to client during provisioning.
  SSLVerifyClient optional
  SSLVerifyDepth 1
  SSLOptions +StdEnvVars
  # The following client headers record authentication information for
down stream workers.
  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
  RackAutoDetect On
  DocumentRoot /etc/puppet/rack/puppetmaster/public/
  <Directory /etc/puppet/rack/puppetmaster/>
    Options None
    AllowOverride None
    Order allow,deny
    allow from all
  </Directory>

Hostname have been changed to protect the innocent.

Any pointers or obviously "you idiot" things here ?

Thanks
Paul

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to