Hi, I'm glad to hear good news, and congrats because the setup is a bit tricky. I noticed you enabled "SSLProxyMachineCertificateFile". I think that now the next step would be to enable "mandatory certificate checking" on puppetmaster_host of remote_proxy_host certificate. I will try this configuration in the next future. I guess it will need:
*SSLVerifyClient require* and some variable checking;i.e. a compound expression, maybe working as the following: *SSLRequire *(( ( %{SSL_CLIENT_S_DN_Email} in {"al...@example.com"} ) or ( %{SSL_CLIENT_S_DN_Email} in {"ali...@example.com"}) ) and ( %{SSL_CLIENT_V_REMAIN} > 0 ) and (( %{SSL_CLIENT_I_DN_CN} in {"CA Cert Signing Authority"}) or ( %{SSL_CLIENT_I_DN_CN} in {"CAcert Class 3 Root"}) )) or at a minimum checking the client CN. Let me know, regards Paolo -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/63cd6960-027e-413d-92fd-7081ff09cb3b%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.