Hi Karl,

I tried to copy your setup but I still get SSL errors in my puppet clients. 
I am not sure about the certificates, did you use the same certificates on 
Puppet Master and RP ? I would be grateful if you could share the results 
of your work,

Regards,
Marcella

Am Samstag, 23. November 2013 00:24:47 UTC+1 schrieb kschafer2598:
>
>
> I finally got it. Lots of searching, poking and twiddling with apache 
> services :) Thank you so much!
>
> Here are my config files. Remote proxy is SLES11, puppetmaster is RHEL5 
> with EPEL and Puppet repos. Note that SSLProxyMachineCertificateFile 
> /var/lib/puppet/ssl/certs/remote_proxy_host.combined is the private key 
> and cert for the remote proxy put in a single file 
> (/var/lib/puppet/ssl/certs/puppetmaster_host.pem 
> and /var/lib/puppet/ssl/private_keys/puppetmaster_host.pem)
>
> Apache conf.d/puppetmaster.conf:
>
> PassengerMaxPoolSize 4
> PassengerMaxRequests 1000
> PassengerPoolIdleTime 600
>
> Listen 8141
> <VirtualHost *:8141>
>     SSLEngine on
>     SSLProtocol             All -SSLv2
>     SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
>     SSLCertificateFile      /var/lib/puppet/ssl/certs/puppetmaster_host.pem
>     SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/
> puppetmaster_host.pem
>     SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
>     SSLVerifyClient         optional
>     SSLVerifyDepth          1
>     SSLOptions              +StdEnvVars +ExportCertData
>
>     PassengerStatThrottleRate 120
>     DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
>     <Directory /usr/share/puppet/rack/puppetmasterd/>
>         Options None
>         AllowOverride None
>         Order Allow,Deny
>         Allow from All
>     </Directory>
> </VirtualHost>
>
> Listen 8140
> <VirtualHost *:8140>
>     SSLEngine On
>     SSLProtocol             All -SSLv2
>     SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
>     SSLCertificateFile      /var/lib/puppet/ssl/certs/puppetmaster_host.pem
>     SSLCertificateKeyFile   
> /var/lib/puppet/ssl/private_keys/puppetmaster_host.pem
>     SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
>     SSLVerifyClient         optional
>     SSLVerifyDepth          1
>     SSLOptions              +StdEnvVars +ExportCertData
>
>     RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e
>
>     PassengerStatThrottleRate 120
>     DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
>     <Directory /usr/share/puppet/rack/puppetmasterd/>
>         Options None
>         AllowOverride None
>         Order Allow,Deny
>         Allow from All
>     </Directory>
> </VirtualHost>
>
> /etc/puppet.conf:
>
>     logdir = /var/log/puppet
>     rundir = /var/run/puppet
>     ssldir = $vardir/ssl
>     server = puppetmaster_host
>     pluginsync = true
> [agent]
>     classfile = $vardir/classes.txt
>     localconfig = $vardir/localconfig
>     report = true
>     environment = production
> [master]
>     reports = store,http,foreman,log
>     reporturl = http://puppetmaster_host:3000/reports/upload
>     storeconfigs = true
>     #async_storeconfigs = true
>     dbadapter = mysql
>     dbuser = puppet
>     dbpassword = f1rmwar3
>     dbserver = localhost
>     dbsocket = /var/lib/mysql/mysql.sock
>     dbconnections = 10
>     node_terminus = exec
>     facts_terminus = yaml
>     external_nodes = /usr/share/puppet/ext/susemanager_enc.rb
>     ssl_client_header = HTTP_X_PUPPET_CLIENT_DN
>     ssl_client_verify_header = HTTP_X_PUPPET_CLIENT_VERIFY
>
> Remote Proxy
>
> LoadModule headers_module /usr/lib64/apache2/mod_headers.so
> Listen 8140
>
> <VirtualHost *:8140>
>     ServerName remote_proxy_host:8140
>     SSLEngine on
>     SSLProtocol             All -SSLv2
>     SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
>     SSLCertificateFile /var/lib/puppet/ssl/certs/remote_proxy_host.pem
>     SSLCertificateKeyFile 
> /var/lib/puppet/ssl/private_keys/remote_proxy_host.pem
>     SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
>     SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
>     SSLVerifyClient optional
>     SSLVerifyDepth 1
>     SSLOptions +StdEnvVars
>
>     LogLevel warn
>
>     RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e
>     RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e
>
>     RewriteEngine On
>     TraceEnable Off
>     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
>     RewriteRule .* - [F]
>
>     SSLProxyEngine on
>     SSLProxyVerify require
>     SSLProxyCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>     SSLProxyCheckPeerCN on
>     SSLProxyMachineCertificateFile 
> /var/lib/puppet/ssl/certs/remote_proxy_host.combined
>
>     ProxyPass / 
> https://puppetmaster_host:8141/<https://www.google.com/url?q=https%3A%2F%2Fpuppetmaster_host%3A8141%2F&sa=D&sntz=1&usg=AFQjCNGtTq75q0e8R0Fg_INPlM-MPlsLBg>
>     ProxyPassReverse / 
> https://puppetmaster_host:8141/<https://www.google.com/url?q=https%3A%2F%2Fpuppetmaster_host%3A8141%2F&sa=D&sntz=1&usg=AFQjCNGtTq75q0e8R0Fg_INPlM-MPlsLBg>
>     ProxyPreserveHost On
>
>     <Location />
>         Order deny,allow
>         allow from All
>         deny from all
>    </Location>
> </VirtualHost>
>
>
>
>
>
>
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/59f2868b-3332-41c0-9607-0be6c90aa16b%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to