Hi Jonathan, Ohad - Jonathan, I was using the -k option on purpose in an effort to reduce noise during testing.
I'm familiar with CRLs, sure - just didn't realize that Puppet might use one. Thanks for letting me know, Ohad. I've implemented the CRL that Puppet maintains, inside of this Apache host, and things seem to work fine now: Error code: ssl_error_handshake_failure_alert This is good news. Exactly what I was looking for. Thanks again -dant On Thu, Dec 23, 2010 at 12:08 AM, Ohad Levy <ohadl...@gmail.com> wrote: > with recent versions of puppet, when you clean a certificate, you also > revoke it, you apache is simply not configured to look at the CRL > (certificate revocation list). > Ohad > > On Wed, Dec 22, 2010 at 11:43 PM, Dan Trainor <dan.trai...@gmail.com> wrote: >> >> Hi - >> >> I read up on this subject quite a bit, and was able to find a few >> posts on the mailing list, even found a wiki article. Unfortunately >> it doesn't quite address what I'm looking to do. >> >> From what I understand, Puppet's client/server authentication system - >> using SSL - is portable. I believe that I should be able to use the >> same SSL certificates and keys (and even the same CA) with regard to >> other SSL/TLS connections, as well. >> >> In particular, I want to use Apache's 'SSLVerifyClient require' >> option, but not in my Mongrel setup, but for an entirely different SSL >> site which also happens to be on the same machine as my Puppet master. >> Assuming both my Puppet master and my Puppet agent represent the >> server and client in this connection, respectively, then I believe I >> should be able to use that already-established and signed and trusted >> SSL relationship to implement this additional site. I do expect >> problems with CN mismatches, but I can live with that. >> >> I've gone through the process of configuring an additional SSL site in >> Apache to use 'SSLVerifyClient require', and mimicked a request from a >> Puppet node (previously signed, enrolled, and working) using curl. I >> used the Puppet generated cert and key from this Puppet node in the >> argument, looking something like this: >> >> curl -k -v --cert certs/job01.vmserver02.dev.az.domain.local.pem --key >> private_keys/job01.vmserver02.dev.az.toolbox.local.pem >> https://10.1.0.165/test.htm >> >> I got a little smile that the request did in fact work without error >> (save having the client use the CA certificiate - I'll re-visit that >> later), but also concerned because I understand this should not have >> worked. I ran puppetca --clean against this particular Puppet node's >> certificate, and expected it to just plain not work any more, and >> thereby updating my Puppet master's key store. >> >> Here's that Apache configuration I was talking about: >> >> <VirtualHost 10.1.0.165:443> >> SSLEngine On >> SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA >> SSLCertificateFile >> /var/lib/puppet/ssl/certs/puppet01.ops.az.domain.local.pem >> SSLCertificateKeyFile >> /var/lib/puppet/ssl/private_keys/puppet01.ops.az.domain.local.pem >> SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem >> SSLVerifyClient require >> SSLVerifyDepth 1 >> SSLOptions +StdEnvVars >> ErrorLog /var/log/httpd/ssltest-error.log >> CustomLog /var/log/httpd/ssltest-access.log combined >> </VirtualHost> >> >> Pretty simple, right? Am I doing this properly? >> >> A little background: I am in the process of building AMIs for >> Amazon's EC2, which will eventually have VPN connections back to a >> secure scope/pool on our internal network. I do not want to >> distribute the VPN profiles, complete with usernames and passwords, >> with the AMIs. I want Puppet to run once, generate those certs on >> both the agent and master, and make those available for a curl request >> in my EC2 bootstrap script to download this VPN profile in a secure >> manner. I only want a signed client accessing this VPN profile (pcf >> file) which is going to be live on the Internet (protected, of course, >> by client certificate verification). >> >> I'm not sure why this doesn't work as I expect it to. I was hoping to >> get some feedback from someone who has gone down this route before, as >> this is all pretty new to me. If nothing more, I'm hoping to be able >> to get this working in this situation, so that I can reuse this >> functionality for other projects. If Puppet is already doing a good >> job of maintaining a nice keystore, why not use it for other things, >> too? >> >> Thanks! >> -dant >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-us...@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
