Hi,
I'm trying to do ssl offload on amazon ELB for my puppetmaster servers, it
seems amazon ELB is not sending ssl_client_header & client_verify_header
puppetmaster
Listen 8141
<VirtualHost *:8141>
SSLEngine off
DocumentRoot /etc/puppet/rack/puppetmaster_8141/public/
RackBaseURI /
<Directory /etc/puppet/rack/puppetmaster_8141/>
PassengerEnabled on
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1
SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
SetEnvIf X-Forwarded-Proto "https" HTTPS=1
SSLProxyEngine On
# Proxy all requests that start with things like /production/certificate to
the CA
ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetlb.aws.*.co.nz:8141/$1
Errorlog /var/log/httpd/puppetmaster.error.log
CustomLog /var/log/httpd/puppetmaster.access.log combined
</VirtualHost>
puppetca
Listen 8140
<VirtualHost *:8140>
SSLEngine off
# Obtain Authentication Information from Client Request Headers
SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1
DocumentRoot /etc/puppet/rack/puppetca_8140/public/
<Directory /etc/puppet/rack/puppetca_8140/>
# PassengerEnabled on
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
Errorlog /var/log/httpd/puppetca.error.log
CustomLog /var/log/httpd/puppetca.access.log combined
</VirtualHost>
The error I'm getting on the backend node
[root@ip-10-250-1-152 puppetmaster_18141]# puppet agent --test
--no-daemonize
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: Error 403 on SERVER: Forbidden request:
puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/node/ip-10-250-1-152.aws.*.co.nz [find] at :125
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using 'eval_generate: Error 403 on SERVER: Forbidden request:
puppetmaster1.aws.*.co.nz(10.250.1.152) access to /file_metadata/plugins
[search] at :125
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER:
Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/file_metadata/plugins [find] at :125 Could not retrieve file metadata for
puppet://puppetlb.aws.*.co.nz/plugins: Error 403 on SERVER: Forbidden
request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/file_metadata/plugins [find] at :125
Error: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/catalog/ip-10-250-1-152.aws.*co.nz [find] at :125
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Error 403 on SERVER: Forbidden request:
puppetmaster1.aws.*.co.nz(10.250.1.152) access to
/report/ip-10-250-1-152.aws.*.co.nz [save] at :125
Thanks
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
