Hello,
I am evaluating Puppet Enterprise 3.7.1, which includes puppet-server 0.4.1.
I am terminating SSL at an Nginx reverse proxy, using a configuration which
works fine with the old Apache/Passenger stack:
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
/etc/puppetlabs/puppetserver/conf.d/webserver.conf:
[...]
client-auth : none
host : 0.0.0.0
port : 18140
[...]
/etc/puppetlabs/puppetserver/conf.d/master.conf:
master: {
allow-header-cert-info: true
}
/etc/puppetlabs/puppet/puppet.conf:
[...]
ssl_client_header = HTTP_X_CLIENT_DN
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
According to my reading of:
https://docs.puppetlabs.com/puppetserver/1.0/external_ssl_termination.html
https://docs.puppetlabs.com/references/3.7.latest/configuration.html#sslclientheader
... this should work, assuming the behavior didn't change from 0.4.1 to 1.0.
However, in /var/log/pe-puppetserver/puppetserver.log:
ERROR [p.s.r.request-handler-core] The DN '/CN=pe-agent.site' provided by
the HTTP header 'x-client-dn' is malformed.
The listed DN appears to match the format given in the documentation ("
/CN=puppet.puppetlabs.com").
>From here, authentication fails and the agent run explodes. Am I missing
something?
Thanks.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/ba6f90b9-5ac0-40f4-9988-ea0daad59f8f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
