Hi,
I'm glad to hear good news,
and congrats because the setup is a bit tricky.
I noticed you enabled SSLProxyMachineCertificateFile. I think that now
the next step would be to enable mandatory certificate checking on
puppetmaster_host of remote_proxy_host certificate.
I will try this
Thanks - I turned it on for each vhost and it doesn't appear to cause any
issue. From what you included about SSLVerify, does it mean that option is
required for SSLVerifyClient to work properly?
Karl
On Monday, November 25, 2013 4:46:33 AM UTC-5, pdpinfo wrote:
Hi,
I'm glad to hear good
Hi Karl,
I tried to copy your setup but I still get SSL errors in my puppet clients.
I am not sure about the certificates, did you use the same certificates on
Puppet Master and RP ? I would be grateful if you could share the results
of your work,
Regards,
Marcella
Am Samstag, 23. November
Hi There,
Yes I did use the same certificates on both. I also used an alternate DNS
name for the RP so I created the cert with an alt_dns_name:
puppet cert generate remote_puppet_host --dns_alt_names
remote_puppet_host_alt
That cert and private_key gets copied from puppetmaster cert directory
Hi Paolo,
It took me a while but I finally got my puppetmaster setup to use passenger
and apache.
I'm working on the remote proxy but had a question about the Puppet cert
configuration. How are you keeping the SSL certs used on the RP in sync
with the puppetmaster? Or are they a seperate set?
I finally got it. Lots of searching, poking and twiddling with apache
services :) Thank you so much!
Here are my config files. Remote proxy is SLES11, puppetmaster is RHEL5
with EPEL and Puppet repos. Note that SSLProxyMachineCertificateFile
Hi Karl,
here following are apache conf that work, afaik (any comment is welcomed):
- puppetserver: direct and indirect access
- proxy server
You can have direct and proxied clients:
clients
|
tcp/8140
|
Puppet Server
|
tcp/8141
---firewall
|
RP
|
tcp/8140
Very cool, thank you so much! I'll be reviewing this and will give it a try
as soon as I can.
Karl
On Wednesday, November 20, 2013 6:41:17 AM UTC-5, pdpinfo wrote:
Hi Karl,
here following are apache conf that work, afaik (any comment is welcomed):
- puppetserver: direct and indirect access
Hi Karl,
this topic has been discussed many times, particularly in respect of large
scale and distributed.
There are many possible setups/solutions.
I try to add my 2cents, firstly pointing out main issues.
Cannot say if this setup can be recommended, but it works well for us.
1) how large is
Paolo, thank you so much for the info. It is a bit confusing, so I've got a
bit of a ways to go, but it is helpful in designing a comprehensive puppet
infrastructure.
Can you provide any more details on your puppet proxy server
configuration? I do not have much experience dealing with Apache
Paolo, thank you so much for the info. It is a bit confusing, so I've got a
bit of a ways to go, but it is helpful in designing a comprehensive puppet
infrastructure.
Can you provide any more details on your puppet proxy server
configuration? I do not have much experience dealing with Apache
This is how I do it here
https://github.com/fsalum/vagrant-puppet/blob/master/puppetmaster/templates/etc/apache2/sites-available/puppetmaster_balancer.erb
https://github.com/fsalum/vagrant-puppet/blob/master/puppetmaster/files/etc/apache2/sites-available/puppetmaster_ca
12 matches
Mail list logo
