On Thu, Aug 25, 2011 at 8:42 PM, It Dept <i...@ukcrd.com> wrote: > Hi Nan, > > Thanks for the reply. I think I should re-frame the question as I > don't think I was at all clear. > > What we are looking for is a way to prevent the puppet agent from ever > sending a request to the master if it cannot verify the certificate > chain. We will handle the secure transfer of certificates/CA cert from > master to client manually, but we don't want clients accidentally > downloading the ca themselves insecurely. > Not sure if this is what you need but let me share anyway. When I configured Nginx to serve as puppet master I set the ssl_verify_client option to "on" and then no new clients were able to request the certificate chain. Clients that were already signed had no problems downloading the configuration catalogs and worked just fine. Only new clients failed to work with the new server. The nginx logs would show that the client was requesting the "/production/ca" file but the server response was alway 404 not found and the client could never get the certificate. Maybe if you force ssl_verify_client option you can get what you want.
For me this was a problem rather than a feature and the problem was mainly because nginx (version < 1.0.0) did not support optional ssl client verification as Apache does. With nginx 1.0.5 I can set ssl_verify_client to optional and now my new clients get signed as expected. SInce all my clients are in the local LAN or connected via VPN I think I can dismiss the middle in the man security problem. regards, Horacio > Thanks > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
