Re: [Puppet Users] SSL issues arising from cloning environment

Tue, 18 Nov 2014 06:56:28 -0800 

Right - and on that note, I think I've made a little bit of progress, but 
I'm still not there yet.

I looked at the apache vhost file for the puppetmaster, and found the 
following:

# you probably want to tune these settings

PassengerHighPerformance on

PassengerMaxPoolSize 12

PassengerPoolIdleTime 1000

# PassengerMaxRequests 1000

PassengerStatThrottleRate 120

RackAutoDetect Off

RailsAutoDetect Off


Listen 8140

NameVirtualHost 10.60.0.100:8140


<VirtualHost 10.60.0.100:8140>

#       LogLevel debug

        ServerName puppet.nyc.viddler.com

        SSLEngine on

        SSLProtocol -ALL +SSLv3 +TLSv1

        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP


        SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.domain.com.pem

        SSLCertificateKeyFile 
/var/lib/puppet/ssl/private_keys/puppet.domain.com.pem

        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem

        SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem

        # If Apache complains about invalid signatures on the CRL, you can 
try disabling

        # CRL checking by commenting the next line, but this is not 
recommended.

        SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem


So "domain" is our old domain, and 10.60 needs to be changed as well.

I'll report back if this fixes the issue or not.

On Tuesday, November 18, 2014 9:46:22 AM UTC-5, jcbollinger wrote:
>
>
>
> On Tuesday, November 18, 2014 7:57:44 AM UTC-6, Roger Sherman wrote:
>>
>> For some reason, (I think) the PM is unable to sign them. At least, 
>> that's what seems to be the case.
>>
>
>
> Well yes, sort of.  It appears that the PM is unable to sign the requests 
> because the client is unable to establish a secure connection over which to 
> *issue* the request in the first place.  (The client doesn't need its own 
> cert for that.  The client cert is for the client to prove its identity to 
> the master, which it doesn't need to do to request cert signing.)
>
>
> John
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7734eafe-3b42-4365-a381-7428e28896a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to