Hi There,
Yes I did use the same certificates on both. I also used an alternate DNS
name for the RP so I created the cert with an alt_dns_name:
puppet cert generate remote_puppet_host --dns_alt_names
remote_puppet_host_alt
That cert and private_key gets copied from puppetmaster cert directory to
the RP, and used as the SSLCertificateFile and SSLCertificateKeyFile.
Otherwise all the other certs are from the puppetmaster's cert directory
and copied over.
I also had lots of trouble with the header (RequestHeader) settings. The
config I have here is what ultimately worked for me. Also ensure that the
header settings in your puppet.conf is correct as well. on the puppetmaster.
Karl
On Monday, November 25, 2013 4:23:44 AM UTC-5, Ruth wrote:
>
> Hi Karl,
>
> I tried to copy your setup but I still get SSL errors in my puppet
> clients. I am not sure about the certificates, did you use the same
> certificates on Puppet Master and RP ? I would be grateful if you could
> share the results of your work,
>
> Regards,
> Marcella
>
> Am Samstag, 23. November 2013 00:24:47 UTC+1 schrieb kschafer2598:
>>
>>
>> I finally got it. Lots of searching, poking and twiddling with apache
>> services :) Thank you so much!
>>
>> Here are my config files. Remote proxy is SLES11, puppetmaster is RHEL5
>> with EPEL and Puppet repos. Note that SSLProxyMachineCertificateFile
>> /var/lib/puppet/ssl/certs/remote_proxy_host.combined is the private key
>> and cert for the remote proxy put in a single file
>> (/var/lib/puppet/ssl/certs/puppetmaster_host.pem
>> and /var/lib/puppet/ssl/private_keys/puppetmaster_host.pem)
>>
>> Apache conf.d/puppetmaster.conf:
>>
>> PassengerMaxPoolSize 4
>> PassengerMaxRequests 1000
>> PassengerPoolIdleTime 600
>>
>> Listen 8141
>> <VirtualHost *:8141>
>> SSLEngine on
>> SSLProtocol All -SSLv2
>> SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
>> SSLCertificateFile
>> /var/lib/puppet/ssl/certs/puppetmaster_host.pem
>> SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/
>> puppetmaster_host.pem
>> SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
>> SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>> SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
>> SSLVerifyClient optional
>> SSLVerifyDepth 1
>> SSLOptions +StdEnvVars +ExportCertData
>>
>> PassengerStatThrottleRate 120
>> DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
>> <Directory /usr/share/puppet/rack/puppetmasterd/>
>> Options None
>> AllowOverride None
>> Order Allow,Deny
>> Allow from All
>> </Directory>
>> </VirtualHost>
>>
>> Listen 8140
>> <VirtualHost *:8140>
>> SSLEngine On
>> SSLProtocol All -SSLv2
>> SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
>> SSLCertificateFile
>> /var/lib/puppet/ssl/certs/puppetmaster_host.pem
>> SSLCertificateKeyFile
>> /var/lib/puppet/ssl/private_keys/puppetmaster_host.pem
>> SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
>> SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>> SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
>> SSLVerifyClient optional
>> SSLVerifyDepth 1
>> SSLOptions +StdEnvVars +ExportCertData
>>
>> RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>> RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e
>> RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e
>>
>> PassengerStatThrottleRate 120
>> DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
>> <Directory /usr/share/puppet/rack/puppetmasterd/>
>> Options None
>> AllowOverride None
>> Order Allow,Deny
>> Allow from All
>> </Directory>
>> </VirtualHost>
>>
>> /etc/puppet.conf:
>>
>> logdir = /var/log/puppet
>> rundir = /var/run/puppet
>> ssldir = $vardir/ssl
>> server = puppetmaster_host
>> pluginsync = true
>> [agent]
>> classfile = $vardir/classes.txt
>> localconfig = $vardir/localconfig
>> report = true
>> environment = production
>> [master]
>> reports = store,http,foreman,log
>> reporturl = http://puppetmaster_host:3000/reports/upload
>> storeconfigs = true
>> #async_storeconfigs = true
>> dbadapter = mysql
>> dbuser = puppet
>> dbpassword = f1rmwar3
>> dbserver = localhost
>> dbsocket = /var/lib/mysql/mysql.sock
>> dbconnections = 10
>> node_terminus = exec
>> facts_terminus = yaml
>> external_nodes = /usr/share/puppet/ext/susemanager_enc.rb
>> ssl_client_header = HTTP_X_PUPPET_CLIENT_DN
>> ssl_client_verify_header = HTTP_X_PUPPET_CLIENT_VERIFY
>>
>> Remote Proxy
>>
>> LoadModule headers_module /usr/lib64/apache2/mod_headers.so
>> Listen 8140
>>
>> <VirtualHost *:8140>
>> ServerName remote_proxy_host:8140
>> SSLEngine on
>> SSLProtocol All -SSLv2
>> SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
>> SSLCertificateFile /var/lib/puppet/ssl/certs/remote_proxy_host.pem
>> SSLCertificateKeyFile
>> /var/lib/puppet/ssl/private_keys/remote_proxy_host.pem
>> SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
>> SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>> SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
>> SSLVerifyClient optional
>> SSLVerifyDepth 1
>> SSLOptions +StdEnvVars
>>
>> LogLevel warn
>>
>> RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>> RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e
>> RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e
>>
>> RewriteEngine On
>> TraceEnable Off
>> RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>> RewriteRule .* - [F]
>>
>> SSLProxyEngine on
>> SSLProxyVerify require
>> SSLProxyCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>> SSLProxyCheckPeerCN on
>> SSLProxyMachineCertificateFile
>> /var/lib/puppet/ssl/certs/remote_proxy_host.combined
>>
>> ProxyPass /
>> https://puppetmaster_host:8141/<https://www.google.com/url?q=https%3A%2F%2Fpuppetmaster_host%3A8141%2F&sa=D&sntz=1&usg=AFQjCNGtTq75q0e8R0Fg_INPlM-MPlsLBg>
>> ProxyPassReverse /
>> https://puppetmaster_host:8141/<https://www.google.com/url?q=https%3A%2F%2Fpuppetmaster_host%3A8141%2F&sa=D&sntz=1&usg=AFQjCNGtTq75q0e8R0Fg_INPlM-MPlsLBg>
>> ProxyPreserveHost On
>>
>> <Location />
>> Order deny,allow
>> allow from All
>> deny from all
>> </Location>
>> </VirtualHost>
>>
>>
>>
>>
>>
>>
>>
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/f2dcf702-78a1-4814-80e4-44d187708bc2%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
