Hello,
I am evaluating Puppet Enterprise 3.7.1, which includes puppet-server 0.4.1.
I am terminating SSL at an Nginx reverse proxy, using a configuration which
works fine with the old Apache/Passenger stack:
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
/etc/puppetlabs/puppetserver/conf.d/webserver.conf:
[...]
client-auth : none
host : 0.0.0.0
port : 18140
[...]
/etc/puppetlabs/puppetserver/conf.d/master.conf:
master: {
allow-header-cert-info: true
}
/etc/puppetlabs/puppet/puppet.conf:
[...]
ssl_client_header = HTTP_X_CLIENT_DN
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
According to my reading of:
https://docs.puppetlabs.com/puppetserver/1.0/external_ssl_termination.html
https://docs.puppetlabs.com/references/3.7.latest/configuration.html#sslclientheader
... this should work, assuming the behavior didn't change from 0.4.1 to 1.0.
However, in /var/log/pe-puppetserver/puppetserver.log:
ERROR [p.s.r.request-handler-core] The DN '/CN=pe-agent.site' provided by
the HTTP header 'x-client-dn' is malformed.
The listed DN appears to match the format given in the documentation ("
/CN=puppet.puppetlabs.com").
>From here, authentication fails and the agent run explodes. Am I missing
something?
Thanks.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/ba6f90b9-5ac0-40f4-9988-ea0daad59f8f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
