Re: [Puppet Users] SSL issues arising from cloning environment

Tue, 18 Nov 2014 06:56:28 -0800 

Right - and on that note, I think I've made a little bit of progress, but 
I'm still not there yet.

I looked at the apache vhost file for the puppetmaster, and found the 
following:

# you probably want to tune these settings

PassengerHighPerformance on

PassengerMaxPoolSize 12

PassengerPoolIdleTime 1000

# PassengerMaxRequests 1000

PassengerStatThrottleRate 120

RackAutoDetect Off

RailsAutoDetect Off


Listen 8140

NameVirtualHost 10.60.0.100:8140


<VirtualHost 10.60.0.100:8140>

#       LogLevel debug

        ServerName puppet.nyc.viddler.com

        SSLEngine on

        SSLProtocol -ALL +SSLv3 +TLSv1

        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP


        SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.domain.com.pem

        SSLCertificateKeyFile 
/var/lib/puppet/ssl/private_keys/puppet.domain.com.pem

        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem

        SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem

        # If Apache complains about invalid signatures on the CRL, you can 
try disabling

        # CRL checking by commenting the next line, but this is not 
recommended.

        SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem


So "domain" is our old domain, and 10.60 needs to be changed as well.

I'll report back if this fixes the issue or not.

On Tuesday, November 18, 2014 9:46:22 AM UTC-5, jcbollinger wrote:
>
>
>
> On Tuesday, November 18, 2014 7:57:44 AM UTC-6, Roger Sherman wrote:
>>
>> For some reason, (I think) the PM is unable to sign them. At least, 
>> that's what seems to be the case.
>>
>
>
> Well yes, sort of.  It appears that the PM is unable to sign the requests 
> because the client is unable to establish a secure connection over which to 
> *issue* the request in the first place.  (The client doesn't need its own 
> cert for that.  The client cert is for the client to prove its identity to 
> the master, which it doesn't need to do to request cert signing.)
>
>
> John
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/7734eafe-3b42-4365-a381-7428e28896a4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to