Josh, thanks for the info. Based on your description, I think I was seeing a bug. Because the agents were all definitely getting certificates. When I did the tcpdump, I could see them being used in the exchange. So, it sounds like the puppetmaster running in webrick was still performing a reverse lookup even with the agent having a client cert.
Is there anything that would be helpful for me to try to nail down if it's doing the right thing or not? Kirk On Thursday, January 10, 2013 12:37:59 PM UTC-5, Josh Cooper wrote: > > The puppetmaster, specifically > Puppet::Network::HTTP::Handler#resolve_node, will perform a reverse > lookup in some situations. When using webrick, the puppetmaster will > perform a reverse lookup if the request does not contain a > client_cert. When using puppetmaster inside a rack application, it > will perform a reverse lookup if the request does not contain a header > parameter that matches Puppet's `ssl_client_header` setting. > > If all of your agents have already been issued certificates, then I > would not expect any "unauthenticated" requests, so I wouldn't expect > any further lookups... > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/-S1_wdntSj4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
