[Puppet Users] Re: puppet-server 0.4.1 - malformed DN provided by HTTP header x-client-dn

Mon, 23 Feb 2015 08:29:40 -0800 

Hey,

for anyone who is using apache:

change:

RequestHeader set X-Client-DN "/CN=%{SSL_CLIENT_S_DN_CN}e"

to:
RequestHeader set X-Client-DN "CN=%{SSL_CLIENT_S_DN_CN}e"

in your puppet vhost



Am Dienstag, 23. Dezember 2014 20:15:27 UTC+1 schrieb Kevin DeGraaf:
>
> Hello,
>
> I am evaluating Puppet Enterprise 3.7.1, which includes puppet-server 
> 0.4.1.
>
> I am terminating SSL at an Nginx reverse proxy, using a configuration 
> which works fine with the old Apache/Passenger stack:
>
>   proxy_set_header X-Client-Verify      $ssl_client_verify;
>   proxy_set_header X-Client-DN          $ssl_client_s_dn;
>
> /etc/puppetlabs/puppetserver/conf.d/webserver.conf:
> [...]
>   client-auth : none
>   host        : 0.0.0.0
>   port        : 18140
> [...]
>
> /etc/puppetlabs/puppetserver/conf.d/master.conf:
> master: {
>     allow-header-cert-info: true
> }
>
> /etc/puppetlabs/puppet/puppet.conf:
> [...]
>     ssl_client_header = HTTP_X_CLIENT_DN
>     ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
>
> According to my reading of:
> https://docs.puppetlabs.com/puppetserver/1.0/external_ssl_termination.html
>
> https://docs.puppetlabs.com/references/3.7.latest/configuration.html#sslclientheader
>
> ... this should work, assuming the behavior didn't change from 0.4.1 to 
> 1.0.
>
> However, in /var/log/pe-puppetserver/puppetserver.log:
>
> ERROR [p.s.r.request-handler-core] The DN '/CN=pe-agent.site' provided by 
> the HTTP header 'x-client-dn' is malformed.
>
> The listed DN appears to match the format given in the documentation ("
> /CN=puppet.puppetlabs.com").
>
> From here, authentication fails and the agent run explodes.  Am I missing 
> something?
>
> Thanks.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b9089dfa-0c8e-48cc-a2f8-b857db4788d8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to