[Puppet Users] puppet 3.0 with passenger

Tue, 02 Oct 2012 07:07:26 -0700 

Hi everyone,

I am trying to setup puppet 3.0 with passenger since this morning, it is a
really painful for me.

I am using the directive:
        SSLOptions              +StdEnvVars +ExportCertData


No problem, but when putting '+ExportCertData', I am unable to autosign or
revoke remotely any certificate I have the following error:
info: Creating a new SSL key for linux-install.fqdn
err: Could not request certificate: Error 400 on SERVER: header too long
Exiting; failed to retrieve certificate and waitforcert is disabled

When using only:
        SSLOptions              +StdEnvVars

Everything works perfectly.


So here is the apache configuration file:
--
# you probably want to tune these settings
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
PassengerHighPerformance on

Listen 8140

<VirtualHost *:8140>
        ServerName puppetmaster.fqdn
        ServerAlias puppetmaster

        ErrorLog /var/log/apache2/puppetmaster_error.log
        LogLevel warn
        SetEnvIf Remote_Addr "::1" dontlog
        CustomLog /var/log/apache2/puppetmaster_access.log combined
env=!dontlog

        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile
 /data/local/puppet/ssl/certs/puppetmaster.fqdn.pem
        SSLCertificateKeyFile
/data/local/puppet/ssl/private_keys/puppetmaster.fqdn.pem
        SSLCertificateChainFile /data/local/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /data/local/puppet/ssl/ca/ca_crt.pem
        # If Apache complains about invalid signatures on the CRL, you can
try disabling
        # CRL checking by commenting the next line, but this is not
recommended.
        SSLCARevocationFile     /data/local/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient         optional
        SSLVerifyDepth          1
        # The `ExportCertData` option is needed for agent certificate
expiration warnings
        SSLOptions              +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy
        # RequestHeader unset X-Forwarded-For

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        RackAutoDetect  On

        DocumentRoot /var/www/puppetmaster/public/
        RackBaseURI /
        <Directory /var/www/puppetmaster/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>
--


So any clue?


Regards,
JM

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to