Hi,
I'm glad to hear good news,
and congrats because the setup is a bit tricky.
I noticed you enabled "SSLProxyMachineCertificateFile". I think that now
the next step would be to enable "mandatory certificate checking" on
puppetmaster_host of remote_proxy_host certificate.
I will try this configuration in the next future.
I guess it will need:
*SSLVerifyClient require*
and some variable checking;i.e. a compound expression, maybe working as the
following:
*SSLRequire *(( ( %{SSL_CLIENT_S_DN_Email} in {"al...@example.com"} ) or (
%{SSL_CLIENT_S_DN_Email} in {"ali...@example.com"}) ) and (
%{SSL_CLIENT_V_REMAIN} > 0 ) and (( %{SSL_CLIENT_I_DN_CN} in {"CA Cert Signing
Authority"}) or ( %{SSL_CLIENT_I_DN_CN} in {"CAcert Class 3 Root"}) ))
or at a minimum checking the client CN.
Let me know,
regards
Paolo
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/63cd6960-027e-413d-92fd-7081ff09cb3b%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
