Hey,
for anyone who is using apache:
change:
RequestHeader set X-Client-DN "/CN=%{SSL_CLIENT_S_DN_CN}e"
to:
RequestHeader set X-Client-DN "CN=%{SSL_CLIENT_S_DN_CN}e"
in your puppet vhost
Am Dienstag, 23. Dezember 2014 20:15:27 UTC+1 schrieb Kevin DeGraaf:
>
> Hello,
>
> I am evaluating Puppet Enterprise 3.7.1, which includes puppet-server
> 0.4.1.
>
> I am terminating SSL at an Nginx reverse proxy, using a configuration
> which works fine with the old Apache/Passenger stack:
>
> proxy_set_header X-Client-Verify $ssl_client_verify;
> proxy_set_header X-Client-DN $ssl_client_s_dn;
>
> /etc/puppetlabs/puppetserver/conf.d/webserver.conf:
> [...]
> client-auth : none
> host : 0.0.0.0
> port : 18140
> [...]
>
> /etc/puppetlabs/puppetserver/conf.d/master.conf:
> master: {
> allow-header-cert-info: true
> }
>
> /etc/puppetlabs/puppet/puppet.conf:
> [...]
> ssl_client_header = HTTP_X_CLIENT_DN
> ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
>
> According to my reading of:
> https://docs.puppetlabs.com/puppetserver/1.0/external_ssl_termination.html
>
> https://docs.puppetlabs.com/references/3.7.latest/configuration.html#sslclientheader
>
> ... this should work, assuming the behavior didn't change from 0.4.1 to
> 1.0.
>
> However, in /var/log/pe-puppetserver/puppetserver.log:
>
> ERROR [p.s.r.request-handler-core] The DN '/CN=pe-agent.site' provided by
> the HTTP header 'x-client-dn' is malformed.
>
> The listed DN appears to match the format given in the documentation ("
> /CN=puppet.puppetlabs.com").
>
> From here, authentication fails and the agent run explodes. Am I missing
> something?
>
> Thanks.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/b9089dfa-0c8e-48cc-a2f8-b857db4788d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
