[Puppet Users] Problem with Load Balancing Puppet masters with Apache mod_proxy

Thu, 14 Jun 2012 07:40:05 -0700 

I have a single LB running Apache with mod_proxy in front of a Puppet
master. These are the LB and Puppet master configs:

<Proxy balancer://puppetmaster>
        BalancerMember http://192.168.1.10:8140
</Proxy>

Listen 8140

<VirtualHost *:8140>
        SSLEngine on
        SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
        SSLCertificateFile /var/lib/puppet/ssl/certs/
puppetlb.example.com.pem
        SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/
puppetlb.example.com.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
        SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient optional
        SSLVerifyDepth 1
        SSLOptions +StdEnvVars

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        <Location />
                SetHandler balancer-manager
                Order allow,deny
                Allow from all
        </Location>

        ProxyPass / balancer://puppetmaster/
        ProxyPassReverse / balancer://puppetmaster/
        ProxyPreserveHost On

</VirtualHost>

Ant the back-end Puppet master:

Listen 8140

<VirtualHost *:8140>
        SSLEngine off

        # Obtain Authentication Information from Client Request
Headers
        SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
        SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1

        RackAutoDetect On
        DocumentRoot /etc/puppet/rack/puppetmaster/public/
        <Directory /etc/puppet/rack/puppetmaster/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

On the puppet agent when I initially request a cert, all works well
and the Puppet master back-end receives it and I can sign it on the
master with puppetca -s hostname.
After this when i run puppetd -tv on the agent I get this error:

err: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed.  This is often because the time is out of sync on the
server or client

Also, when I run this on the LB and the master:

tcpdump -s 1024 -l -A port 8140 -i eth1

I see that headers are not set at all:

X-SSL-Subject: (null)
X-SSL-Client-DN: (null)
X-Client-Verify: NONE

Any idea what I am missing?

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to