Hello, I tried different configuration with SNI and authentication (classic certificates or puppet), I could say it's impossible. Maybe I miss something but I don't think so.
You have to use an another dns name or use a different port. good luck. On Fri, May 17, 2013 at 9:46 PM, Jonathan Proulx <[email protected]> wrote: > Hi All, > > I've run into a bit of a tangle. > > I currently have two puppet masters which are "load balanced" with round > robin DNS (one is also the CA). I'm using dns_alt_names to let them each > answer to puppet.my.domain.com > > For the past year this has been fine. > > About a week ago I tried to add a third & while all my Linux clients are > happy with the new arrangement, my smaller number of FreeBSD9 systems fail > with: > > puppet-agent[73345]: Failed to apply catalog: SSL_connect returned=1 > errno=0 state=SSLv2/v3 read server hello A: (null) > > when hitting the newly deployed server. If I give the specific host name > as the --server argument (rather than the alternative name that get the > round robin dns) puppet agent connects runs properly. > > I've tracked this down to the FreeBSD client using SNI where as the Linux > clients do not and the older servers don't support SNI so it is ignored. > > All server are using apache mod_ssl and passenger, but I'm not sure how to > proceed. > > I could generate a "puppet.my.domain.com" certificate, distribute it to > all the servers and set up name based virtual hosts that SNI is designed to > facilitate, but then I can't selectively revoke the certs if there's a > security issue with one server, so I'd rather keep my per host certificates > with dns_alt_names. > > This is probably more of an apache question now, but does anyone here know > how to get Apache to accept an SNI for a name that is a dns_alt_name of a > cert rather than the CN? Or more puppetly if there's a config option to > not send an SNI from the client? Though that seems the wrong way to fix > the problem. > > Thanks, > -Jon > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
