Hi,
I'm trying to do ssl offload on amazon ELB for my puppetmaster servers, it
seems amazon ELB is not sending ssl_client_header & client_verify_header
puppetmaster
Listen 8141
<VirtualHost *:8141>
SSLEngine off
DocumentRoot /etc/puppet/rack/puppetmaster_8141/public/
RackBaseURI /
<Directory /etc/puppet/rack/puppetmaster_8141/>
PassengerEnabled on
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1
SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
SetEnvIf X-Forwarded-Proto "https" HTTPS=1
SSLProxyEngine On
# Proxy all requests that start with things like /production/certificate to
the CA
ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetlb.aws.*.co.nz:8141/$1
Errorlog /var/log/httpd/puppetmaster.error.log
CustomLog /var/log/httpd/puppetmaster.access.log combined
</VirtualHost>
puppetca
Listen 8140
<VirtualHost *:8140>
SSLEngine off
# Obtain Authentication Information from Client Request Headers
SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1
DocumentRoot /etc/puppet/rack/puppetca_8140/public/
<Directory /etc/puppet/rack/puppetca_8140/>
# PassengerEnabled on
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
Errorlog /var/log/httpd/puppetca.error.log
CustomLog /var/log/httpd/puppetca.access.log combined
</VirtualHost>
The error I'm getting on the backend node
[root@ip-10-250-1-152 puppetmaster_18141]# puppet agent --test
--no-daemonize
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: Error 403 on SERVER: Forbidden request:
puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/node/ip-10-250-1-152.aws.*.co.nz [find] at :125
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using 'eval_generate: Error 403 on SERVER: Forbidden request:
puppetmaster1.aws.*.co.nz(10.250.1.152) access to /file_metadata/plugins
[search] at :125
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER:
Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/file_metadata/plugins [find] at :125 Could not retrieve file metadata for
puppet://puppetlb.aws.*.co.nz/plugins: Error 403 on SERVER: Forbidden
request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/file_metadata/plugins [find] at :125
Error: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/catalog/ip-10-250-1-152.aws.*co.nz [find] at :125
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Error 403 on SERVER: Forbidden request:
puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/report/ip-10-250-1-152.aws.*.co.nz [save] at :125
Thanks
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
