[Puppet Users] Re: puppet-server 0.4.1 - malformed DN provided by HTTP header x-client-dn

Sat, 03 Jan 2015 22:26:00 -0800 

Justin,

Thanks!  I have successfully worked around SERVER-213 with the following 
nginx hack:

  if ($ssl_client_s_dn ~* "^/(CN=.+)$") {
    set $ssl_client_s_dn $1;
  }

On Monday, December 29, 2014 2:52:39 PM UTC-5, Justin May wrote:
>
> Hi Kevin,
>
> We have identified this bug in JIRA as SERVER-213. Essentially, we 
> currently only support the standard ',' separated DN's and not OpenSSL 
> style '/' separated ones which are generated by Apache and NGNX. Hopefully 
> we will have this fixed soon. 
>
> Thanks,
> Justin
>
> On Tuesday, December 23, 2014 11:15:27 AM UTC-8, Kevin DeGraaf wrote:
>>
>> Hello,
>>
>> I am evaluating Puppet Enterprise 3.7.1, which includes puppet-server 
>> 0.4.1.
>>
>> I am terminating SSL at an Nginx reverse proxy, using a configuration 
>> which works fine with the old Apache/Passenger stack:
>>
>>   proxy_set_header X-Client-Verify      $ssl_client_verify;
>>   proxy_set_header X-Client-DN          $ssl_client_s_dn;
>>
>> /etc/puppetlabs/puppetserver/conf.d/webserver.conf:
>> [...]
>>   client-auth : none
>>   host        : 0.0.0.0
>>   port        : 18140
>> [...]
>>
>> /etc/puppetlabs/puppetserver/conf.d/master.conf:
>> master: {
>>     allow-header-cert-info: true
>> }
>>
>> /etc/puppetlabs/puppet/puppet.conf:
>> [...]
>>     ssl_client_header = HTTP_X_CLIENT_DN
>>     ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
>>
>> According to my reading of:
>> https://docs.puppetlabs.com/puppetserver/1.0/external_ssl_termination.html
>>
>> https://docs.puppetlabs.com/references/3.7.latest/configuration.html#sslclientheader
>>
>> ... this should work, assuming the behavior didn't change from 0.4.1 to 
>> 1.0.
>>
>> However, in /var/log/pe-puppetserver/puppetserver.log:
>>
>> ERROR [p.s.r.request-handler-core] The DN '/CN=pe-agent.site' provided by 
>> the HTTP header 'x-client-dn' is malformed.
>>
>> The listed DN appears to match the format given in the documentation ("
>> /CN=puppet.puppetlabs.com").
>>
>> From here, authentication fails and the agent run explodes.  Am I missing 
>> something?
>>
>> Thanks.
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/6867b3ac-48e0-4c97-b806-e56e0e582b13%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to