Re: [Puppet Users] SSL Port 8140 not running

I'd expect errors from the service framework/java level to go into the journal and/or /var/log/{messages,syslog}. If the service framework says it's up and running and there's nothing in the above logs there should be _something_ in /var/log/puppetlabs/puppetserver.log you might also want to doubl

[Puppet Users] SSL Port 8140 not running

Hi Group! I am just trying to setup puppetserver 6.9.1 on linux. Service is starting, but no port 8140 is up and I don´t know why. I found noting in: /var/log/puppetlabs Can you please help? Best Andreas -- You received this message because you are subscribed to the Google Groups "Puppet User

[Puppet Users] SSL peer had some unspecified issue with the certificate it received

Hi there, We upgraded to puppet 5.5.0 recently, so far it's working fine but we see lots of issue with SSL certs. Currently, we are using self-signed certs ( I know that's not the best way to handle certs and we do have plans to move away from self-signed certs) We using below API's to delete/

Re: [Puppet Users] SSL Errors - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B

Make sure the time matches on master and agent. The issue CRL is not yet valid for indicates that the time between the Puppet-agent and the Puppetmaster is out of sync . Sync the time (NTP). Remove the certificate from the Puppet-a

Re: [Puppet Users] SSL Error when connecting agent to master

The link you posted worked. I had to go into the ssl.rb file of my ruby package (2.1.7) and change ssl_version to TSLv1. (Note this is slight different then what attached post suggests, as just changing it to sslv3 still did not work.) Thanks again for your help! On Wednesday, February 17, 201

Re: [Puppet Users] SSL Error when connecting agent to master

Hi, a very brief bout of researching lead me to this: https://ask.puppetlabs.com/question/6065/mac-os-x-client-ssl-error-before-caching-ca-cert/ You may be experiencing Ruby/OpenSSL version mismatches as well. Perhaps the workaround of the OP over at ask will help you as well. Good luck, pl

[Puppet Users] SSL Error when connecting agent to master

Hi, Disclaimer... I am fairly new to Puppet. :) I have a puppet master server and a separate CA Server setup in my Puppet infrastructure. This infrastructure is running Puppet version 3.8.4 and has been running fine for the past few weeks. Now, I am trying to connect a SLES 11SP2 linux server

[Puppet Users] SSL Cert's are generated but not saved

Hi, I'm working on using puppet to manage a fleet of Mac's. I have run the puppet in the background while at the mac login window after /etc/puppet/puppet.conf is configured. puppet.conf: [master] # These are needed when the puppetmaster is run by passenger # and can safely be removed if webri

[Puppet Users] SSL Cert errors when puppet agent is also the master

I have just stood up a new open source puppet master (in this case master is ep1p-apux06, aka puppet.domain.com). I have added an external test agent and everything appears to be running correctly. As a test, I have added a single module and if I make changes to the module, I can see it propagat

Re: [Puppet Users] SSL Cert automation for service

Hi, I haven't built this kind of scheme, but yes, Puppet should be able to do this for you. You will have to implement 1. A defined type that signs a cert for a given CN. 2. A custom fact that holds all signed certificates in a hash structure suitable for 3. A defined type that wraps the export o

[Puppet Users] SSL Cert automation for service

Hello, list: I'm looking for information/tutorials on using Puppet to generate SSL certs for a service managed by Puppet, not Puppet itself. What I would like to do is give Puppet access to internal CA keys and have it generate and sign certs for services it manages. This will allow me to use

Re: [Puppet Users] SSL Cert issues - Puppet Agent and Master on same host

On 11/18/2014 10:26 PM, kevin.mastel...@gmail.com wrote: > [root@- puppet]# ./node.rb my-puppet-svr > Could not send facts to Foreman: SSL_connect returned=1 errno=0 > state=SSLv3 read server certificate B: certificate verify failed Hmm, I don't know which TCP port is used to contact Foreman,

Re: [Puppet Users] SSL Cert issues - Puppet Agent and Master on same host

[root@e-imgsrv puppet]# netstat -tulpn | grep 8140 tcp0 0 0.0.0.0:81400.0.0.0:* LISTEN 48905/ruby Don't have any firewall settings as network is unreachable from outside, but [root@e-imgsrv puppet]# iptables -L -n Chain INPUT (policy ACCEP

Re: [Puppet Users] SSL Cert issues - Puppet Agent and Master on same host

On Wednesday, November 19, 2014 6:24:28 AM UTC-5, Johan De Wit wrote: > > > > netstat -tupln | grep 8140 : is puppet master up and running and listening > > iptables -L -n : firewall settings correct > > ping my-puppet-svr : name resolution working > > Just checking the obvious stuff first .

Re: [Puppet Users] SSL Cert issues - Puppet Agent and Master on same host

On 18/11/14 22:26, kevin.mastel...@gmail.com wrote: Currently trying to get puppet, katello and foreman to play nicely. Everything except puppet is working as I would expect. No matter what I try, whether it be blasting the /var/lib/puppet/ssl directory, running --clean (or whatever the comma

[Puppet Users] SSL Cert issues - Puppet Agent and Master on same host

Currently trying to get puppet, katello and foreman to play nicely. Everything except puppet is working as I would expect. No matter what I try, whether it be blasting the /var/lib/puppet/ssl directory, running --clean (or whatever the commands are), or trying all the steps on the Puppet tro

Re: [Puppet Users] SSL issues arising from cloning environment

Er ah, to be more specific, I had to list the correct .pem files in the puppetmaster vhost, and change the server IP. On Tuesday, November 18, 2014 10:51:40 AM UTC-5, Roger Sherman wrote: > > Turns out this was the problem - thanks for the help, guys, as always, > talking it out helped point me

Re: [Puppet Users] SSL issues arising from cloning environment

Turns out this was the problem - thanks for the help, guys, as always, talking it out helped point me down the right path. Thanks, Rog On Tuesday, November 18, 2014 9:56:05 AM UTC-5, Roger Sherman wrote: > > Right - and on that note, I think I've made a little bit of progress, but > I'm still

Re: [Puppet Users] SSL issues arising from cloning environment

Right - and on that note, I think I've made a little bit of progress, but I'm still not there yet. I looked at the apache vhost file for the puppetmaster, and found the following: # you probably want to tune these settings PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdle

Re: [Puppet Users] SSL issues arising from cloning environment

On Tuesday, November 18, 2014 7:57:44 AM UTC-6, Roger Sherman wrote: > > For some reason, (I think) the PM is unable to sign them. At least, that's > what seems to be the case. > Well yes, sort of. It appears that the PM is unable to sign the requests because the client is unable to establis

Re: [Puppet Users] SSL issues arising from cloning environment

Hi Neil, thank you for the response. Certificate requests are sent out during a noop run, which are then signed on the PM and then a subsequent noop run puts the cert in place. For some reason, (I think) the PM is unable to sign them. At least, that's what seems to be the case. Thank you, Rog

Re: [Puppet Users] SSL issues arising from cloning environment

Hello 2.7 is pretty old. IIRC noop stops the agent writing anything including the certificate stuff. You can either Drop the noop Upgrade puppet on client Do the certificate work manually Specify the certname in the config and use the old cert assuming your cloned master still has that Neil On 18

[Puppet Users] SSL issues arising from cloning environment

I'm in the process of setting up a staging environment for the company I work for. To do this, we've cloned our production environment (vmware), changed the hostnames of the nodes, re-IP'd the nodes, and since that point, I've been trying to get the environment to the point where I can do puppe

Re: [Puppet Users] SSL POODLE Vulnerability

On Wed, Oct 15, 2014 at 3:28 PM, Mike Seda wrote: > Puppet Developers, > Based on the SSL POODLE vulnerability ( > https://www.openssl.org/~bodo/ssl-poodle.pdf ), will you be patching > WEBrick to deny SSLv3 like you did with SSLv2 ( > https://projects.puppetlabs.com/issues/19151 )? > Yes, the n

[Puppet Users] SSL POODLE Vulnerability

Puppet Developers, Based on the SSL POODLE vulnerability ( https://www.openssl.org/~bodo/ssl-poodle.pdf ), will you be patching WEBrick to deny SSLv3 like you did with SSLv2 ( https://projects.puppetlabs.com/issues/19151 )? Mike -- You received this message because you are subscribed to the Goog

Re: [Puppet Users] ssl signing issue

On 30/06/14 16:24, Martin Alfke wrote: Hi Chris, On 30 Jun 2014, at 05:23, Chris wrote: master gets it: # puppet ca list client (SHA256) D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50 and has signed itself: # puppet ca list --all client

Re: [Puppet Users] ssl signing issue

Hi Chris, On 30 Jun 2014, at 05:23, Chris wrote: > > master gets it: > # puppet ca list > client (SHA256) > D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50 > > and has signed itself: > # puppet ca list --all > client (SHA256) > D4:6D:

[Puppet Users] ssl signing issue

Hi, I'm trying to get signing right and have come up with a weird situation. Both master and client are running 3.6.2 (rpms from puppetlabs). client config: [main] vardir = /var/lib/puppet logdir = /var/log/puppet rundir = /var/run/puppet ssldir = /var/lib/puppet/ssl classf

[Puppet Users] SSL error when after restarting httpd. CA information missing/or wrong?

Hi everybody I've been running puppet under Apache/Passenger for some time. I restarted Apache this morning I'm getting the following error --- [root@ecm-rhl-032 ~]# puppet agent --test Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=

[Puppet Users] SSL

My environment has been working up until mid last week. just doing a puppet agent --test gives me these results... has anyone ran across this. [root@DC01SLE0005 ~]# puppet agent --test Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1

Re: [Puppet Users] SSL error connecting to https://forge.puppetlab.com on fresh install

That did it. Thanks for the quick reply. On Thursday, May 8, 2014 4:32:57 PM UTC-7, Josh Cooper wrote: > > Hi Patrick, > > > On Thu, May 8, 2014 at 12:50 PM, Patrick Auld > > > wrote: > >> I installed Puppet 3.5.1 on Windows 7 from the MSI. I've run a few >> 'puppet apply' commands and things a

Re: [Puppet Users] SSL error connecting to https://forge.puppetlab.com on fresh install

Hi Patrick, On Thu, May 8, 2014 at 12:50 PM, Patrick Auld wrote: > I installed Puppet 3.5.1 on Windows 7 from the MSI. I've run a few 'puppet > apply' commands and things appear to be working. We are not using a master > node for our current use case so I haven't set one up. The Windows Puppet >

[Puppet Users] SSL error connecting to https://forge.puppetlab.com on fresh install

I installed Puppet 3.5.1 on Windows 7 from the MSI. I've run a few 'puppet apply' commands and things appear to be working. We are not using a master node for our current use case so I haven't set one up. The Windows Puppet service is also disabled. When I try to install a module from the Forge

Re: [Puppet Users] SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

Hi Spencer That's fixed the ssl issue. Not sure where I got the /etc/puppet/ssl... from. I've got some "access denied" issues now. Trace them down another day Thanks for the help Tom On Sunday, 23 March 2014 02:16:12 UTC+8, Tom Hallam wrote: > > Ahh, those lines are different. The ones I

Re: [Puppet Users] SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

Ahh, those lines are different. The ones I have point to /etc/puppet/ssl Yep, the cert you've just pointed to look like they match what I'm getting from WebBrick. On Sunday, 23 March 2014 01:59:50 UTC+8, Spencer Krum wrote: > > You should have several lines in your apache vhost pointing

Re: [Puppet Users] SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

You should have several lines in your apache vhost pointing to specific ssl certs. Can you verify that all these paths are correct? Specifically the lines beginning with SSL in http://docs.puppetlabs.com/guides/passenger.html#create-and-enable-the-puppet-master-vhost On Sat, Mar 22, 2014 at 7:51

[Puppet Users] SSL Certificate errors - Migrating from build in webserver to Apache and Passenger

Hi All I've been running Puppet using the build in web server and I'm now moving to Apache and Passenger. I've completed the installation and started testing. If I run puppet agent --test --noop I get the following error (domain removed) Warning: Unable to fetch my node definition, but

Re: [Puppet Users] SSL issues - certificate verify failed

Hi, I am having similar issue, cant figure out why. Can any one help me with this ?? thanks, Teja. On Friday, August 10, 2012 5:29:27 AM UTC-7, Axel Bock wrote: > > hm, nevermind, I somehow solved it. although I'm not (yet) sure how. It > involved a lot of restarting and deleting :) > > thank

[Puppet Users] SSL Certificate expiration on Load Balancer

Greetings, I am not sure what the best steps are to replace an SSL ceritificate that has expired on the load balancer that the puppet agents use. setup: agent ---> loadbalancer w/ SSL Cert port 8140 ---> 2 master systems with shared SSL directory on nfs. Here is what the puppet.conf looks l

[Puppet Users] ssl ofloading on amazon ELB for puppetmasters

Hi, I'm trying to do ssl offload on amazon ELB for my puppetmaster servers, it seems amazon ELB is not sending ssl_client_header & client_verify_header puppetmaster Listen 8141 SSLEngine off DocumentRoot /etc/puppet/rack/puppetmaster_8141/public/ RackBaseURI / PassengerE

Re: [Puppet Users] SSL config in puppet.conf in v3.0x

[master] has been used for a while now. At least 2.6 up. On Feb 13, 2013, at 12:52 PM, vioilly wrote: > Hi, > > Does this still apply in puppet 3.0.2 in the puppet.conf file on the puppet > master? > > [puppetmasterd] > > ssl_client_header = SSL_CLIENT_S_DN > > ssl_client_verify_head

[Puppet Users] SSL config in puppet.conf in v3.0x

Hi, Does this still apply in puppet 3.0.2 in the puppet.conf file on the puppet master? [puppetmasterd] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY If yes, is puppetmasterd correct or should it be something else, like [main] or [master]? Cheer

Re: [Puppet Users] SSL issues - certificate verify failed

hm, nevermind, I somehow solved it. although I'm not (yet) sure how. It involved a lot of restarting and deleting :) thanks anyways! Axel. 2012/8/10 Axel Bock > Hello readers, > > I have this little issue that my puppet client refuses to do anything > because of SSL validation errors. Maybe I

[Puppet Users] SSL issues - certificate verify failed

Hello readers, I have this little issue that my puppet client refuses to do anything because of SSL validation errors. Maybe I'll just post dump of what happens, that makes it clear I hope. Does anyone have a suggestion why that might happen? what I already checked: On the master: - Pup

Re: [Puppet Users] SSL emailAddress interpreted as part of the CN when using puppet with an external PKI

Hi Jeff, > This is definitely a bug. The regular expression we're using to > extract the common name (CN) from the distinguished name (DN) is > /^.*?CN\s*=\s*(.*)/ [1] > > This is a greedy regular expression which explains why it's also > grabbing the email address. I think we need to fix this

Re: [Puppet Users] SSL emailAddress interpreted as part of the CN when using puppet with an external PKI

On Sat, Jun 2, 2012 at 7:59 AM, Andrew Wasilczuk wrote: > Hi Jeff, > >>    You may be running into a bug in Puppet but I'm not entirely sure yet... >>    What web server are you using to terminate the SSL connection from the >>    agent to the master?  Is it simply the built in one provided by `pu

Re: [Puppet Users] SSL emailAddress interpreted as part of the CN when using puppet with an external PKI

Hi Jeff, >You may be running into a bug in Puppet but I'm not entirely sure yet... >What web server are you using to terminate the SSL connection from the >agent to the master? Is it simply the built in one provided by `puppet >master` or are you using Apache or something? SSL is

Re: [Puppet Users] SSL emailAddress interpreted as part of the CN when using puppet with an external PKI

On Fri, Jun 1, 2012 at 5:23 AM, Andrew Wasilczuk wrote: > Hi Jeff > > On Thu, May 31, 2012 at 08:55:29AM -0700, Jeff McCune wrote: > >There are two identities in Puppet that relate to the security model. > The > >first identity is the certname and the second is the node name. > >Puppe

Re: [Puppet Users] SSL emailAddress interpreted as part of the CN when using puppet with an external PKI

Hi Jeff On Thu, May 31, 2012 at 08:55:29AM -0700, Jeff McCune wrote: >There are two identities in Puppet that relate to the security model. The >first identity is the certname and the second is the node name. >Puppet uses the certname to construct the certificate. >Everything else

Re: [Puppet Users] SSL emailAddress interpreted as part of the CN when using puppet with an external PKI

There are two identities in Puppet that relate to the security model. The first identity is the certname and the second is the node name. Puppet uses the certname to construct the certificate. Everything else (catalogs, facts, reports, etc...) is identified by the node name. By default the val

[Puppet Users] SSL emailAddress interpreted as part of the CN when using puppet with an external PKI

Hello, I'm currently integrating puppet with an external openssl based PKI and I stumbled across a problem which looks like it may be a bug in puppet. All my certificates contain an emailAddress field in the subject. Here it is in the default format: % openssl x509 -in mir.example.net.pem -noo

[Puppet Users] SSL certificates issues with some of the nodes

Hi, I am using puppet open source & their are above 2000 nodes in my network & getting SSL certificates issues with some of the remote nodes & they are not in sync with puppet server where others are in sync with server & date of the nodes systems are in sync with ntp server, also tried the foll

Re: [Puppet Users] SSL Errors - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B

Hi Felix, thanks for your response to my question. It's taken me a while to get back to this issue but I finally figured it out tonight. I had a old puppetd process running in the background (I'd since moved to using cron to call puppet) that must have been holding open it's old cert files, etc...

Re: [Puppet Users] SSL Errors - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B

Hi, concerning your question why everything seems to work pretty well: On 01/27/2012 04:59 AM, Romeo Theriault wrote: > Jan 26 17:09:41 ppt01 puppet-agent[27357]: Using cached catalog Your agent is using a cached catalog. puppet agent --test should fail. Also, changing the manifest for this nod

[Puppet Users] SSL Errors - SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B

Hello, I'm new to puppet and am getting a puppet server setup with puppet dashboard. I have the puppet server and puppet dashboard (Apache/Passenger) setup and working well with 60+ test nodes working as expected. Only problem is that I have this one error in the logs which I can't figure out. Jan

[Puppet Users] SSL issues on ruby1.9

Hi all, I'm having issues with getting a client to request a certificate from my master when using Ruby 1.9. The error message is: "err: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed" I saw earlier messages on this

Re: [Puppet Users] SSL issues: Separate CA, multiple load balanced masters

Ohad, I can't thank you enough for that tip. Solved every error that was occurring by disabling CRL. I realise this is not desirable, so I will get my init scripts generating separate certificates for the puppet agent running on the masters. Again, thank you very much. -- You received this m

Re: [Puppet Users] SSL issues: Separate CA, multiple load balanced masters

On Thu, Apr 7, 2011 at 10:03 AM, Andrei Serdeliuc wrote: > It now seems to work, I was doing 2 things wrong: not restarting Apache > (the master runs under apache + passenger) after certificates were > generated. That fixed the initial SSL error (apache was using an older > certificate, the ones g

Re: [Puppet Users] SSL issues: Separate CA, multiple load balanced masters

It now seems to work, I was doing 2 things wrong: not restarting Apache (the master runs under apache + passenger) after certificates were generated. That fixed the initial SSL error (apache was using an older certificate, the ones generated didn't match, etc). All works fine now, unless I try

Re: [Puppet Users] SSL issues: Separate CA, multiple load balanced masters

On 7 April 2011 04:02, Andrei Serdeliuc wrote: > Hi, > > I've been at it for about 4 days now and I just can't figure it out. > I'm getting the following error when running puppet agent on my > masters: SSL_connect returned=1 errno=0 state=SSLv3 read server > certificate B: certificate verify fai

[Puppet Users] SSL issues: Separate CA, multiple load balanced masters

Hi, I've been at it for about 4 days now and I just can't figure it out. I'm getting the following error when running puppet agent on my masters: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed At startup, I'm running ntpdate (I've read in a lot of

Re: [Puppet Users] ssl alert: "Unknown CA"

On Fri, 2011-02-18 at 00:44 -0800, Eric Sorenson wrote: > I have a couple of hosts which are having trouble talking to the puppet VIP: > > puppetd[4554]: could not retrieve catalog from remote server: ssl_connect > returned=1 errno=0 state=sslv3 read server certificate b: certificate verify > fa

[Puppet Users] ssl alert: "Unknown CA"

I have a couple of hosts which are having trouble talking to the puppet VIP: puppetd[4554]: could not retrieve catalog from remote server: ssl_connect returned=1 errno=0 state=sslv3 read server certificate b: certificate verify failed puppetd[4554]: Not using cache on failed catalog puppetd[4554

Re: [Puppet Users] SSL Chaining puppet 2.6.1 passenger and apache

On Sep 16, 2010, at 9:11 PM, denmat wrote: > Hi list, > > have an issue which I haven't been able to find a definitive answer > for after searching list. > > I have upgraded from 2.5 to 2.6 and problem I have existed with 2.5 so > this is not related to the new release. (running on F12/Centos5.

[Puppet Users] SSL Chaining puppet 2.6.1 passenger and apache

Hi list, have an issue which I haven't been able to find a definitive answer for after searching list. I have upgraded from 2.5 to 2.6 and problem I have existed with 2.5 so this is not related to the new release. (running on F12/Centos5.5). The puppetmaster works fine with my certificates using

Re: [Puppet Users] SSL issues when testing - This is how to fix

mount the same config files? That's a great idea, a readonly mount would aid speeding testing across a cluster On 03/05/2010, Charles Johnson wrote: > Gabriel, I use puppet to maintain files and services across a linux cluster > with some 850 boxes. From time to time a box goes down and has to be

Re: [Puppet Users] SSL issues when testing - This is how to fix

Gabriel, I use puppet to maintain files and services across a linux cluster with some 850 boxes. From time to time a box goes down and has to be re-imaged. We nuke /etc/puppet/ssl, and restart puppet with puppetd --waitforcert 60; sign the cert on the puppetmaster, and away we go. We also use a sy

[Puppet Users] SSL issues when testing - This is how to fix

Dear everyone! I’ve been suffering all week to fix all manner of SSL issues on my test setup, not realizing that it was my puppet master where I had made a mistake. I’ve spoken to people in the IRC room for long enough to know that a lot of people have this problem, so I’ve come up with a quick

Re: [Puppet Users] SSL Issues when Puppet master and client are on the same machine

On 1/18/10 11:40 AM, Jamie wrote: Hi I've searched high and low for the answer to this but can't find any relevant solutions. I know that when the master and client are on different hosts it's pretty simple to solve most SSL issues... Sounds like you might need to split some parameters up fr

[Puppet Users] SSL Issues when Puppet master and client are on the same machine

Hi I've searched high and low for the answer to this but can't find any relevant solutions. I know that when the master and client are on different hosts it's pretty simple to solve most SSL issues... 1) stop puppetd on the client 2) Clean the cert on the master - puppetca --clean 3) Recursiv

[Puppet Users] SSL issue syncing plugins/facts when upgrading to 0.25.2 client from 0.24.8

I've found it difficult to upgrade from 0.24.8 to 0.25.2. Things are great after I only upgrade the master to 0.25.2, but once the client gets switched to 0.25.2, I can't sync plugins/facts anymore. The error seems to indicate that it's some SSL issue. Any suggestions would be appreciated, as my

[Puppet Users] SSL connection errors

My puppet setup has been working nicely for a while, but recently I get errors like this a lot: May 9 15:46:33 puppet puppetd[22423]: (//Node[basenode]/nagios::nrpe/File[/usr/local/nagios/plugins/check_apt]) Failed to retrieve current state of resource: Connection reset by peer - SSL_connect

[Puppet Users] ssl configuration for nginx

Hello, I am trying to configure nginx as documented here http://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx I don't realy know which file must be paased to this values : ssl_certificate ssl_certificate_key ssl_client_certificate When I try with ssl_certificate /var