I have a single LB running Apache with mod_proxy in front of a Puppet master. These are the LB and Puppet master configs:
<Proxy balancer://puppetmaster> BalancerMember http://192.168.1.10:8140 </Proxy> Listen 8140 <VirtualHost *:8140> SSLEngine on SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/ puppetlb.example.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/ puppetlb.example.com.pem SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e <Location /> SetHandler balancer-manager Order allow,deny Allow from all </Location> ProxyPass / balancer://puppetmaster/ ProxyPassReverse / balancer://puppetmaster/ ProxyPreserveHost On </VirtualHost> Ant the back-end Puppet master: Listen 8140 <VirtualHost *:8140> SSLEngine off # Obtain Authentication Information from Client Request Headers SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1 RackAutoDetect On DocumentRoot /etc/puppet/rack/puppetmaster/public/ <Directory /etc/puppet/rack/puppetmaster/> Options None AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost> On the puppet agent when I initially request a cert, all works well and the Puppet master back-end receives it and I can sign it on the master with puppetca -s hostname. After this when i run puppetd -tv on the agent I get this error: err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client Also, when I run this on the LB and the master: tcpdump -s 1024 -l -A port 8140 -i eth1 I see that headers are not set at all: X-SSL-Subject: (null) X-SSL-Client-DN: (null) X-Client-Verify: NONE Any idea what I am missing? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.