puppet 3.0 with passenger

[Antidot SAS]

Hi everyone,

I am trying to setup puppet 3.0 with passenger since this morning, it is a really painful for me.

I am using the directive:

        SSLOptions              +StdEnvVars +ExportCertData

No problem, but when putting '+ExportCertData', I am unable to autosign or revoke remotely any certificate I have the following error:

info: Creating a new SSL key for linux-install.fqdn

err: Could not request certificate: Error 400 on SERVER: header too long

Exiting; failed to retrieve certificate and waitforcert is disabled

When using only:

        SSLOptions              +StdEnvVars

Everything works perfectly.

So here is the apache configuration file:

--

# you probably want to tune these settings

PassengerMaxPoolSize 12

PassengerPoolIdleTime 1500

# PassengerMaxRequests 1000

PassengerStatThrottleRate 120

RackAutoDetect Off

RailsAutoDetect Off

PassengerHighPerformance on

Listen 8140

<VirtualHost *:8140>

        ServerName puppetmaster.fqdn

        ServerAlias puppetmaster

        ErrorLog /var/log/apache2/puppetmaster_error.log

        LogLevel warn

        SetEnvIf Remote_Addr "::1" dontlog

        CustomLog /var/log/apache2/puppetmaster_access.log combined env=!dontlog

        SSLEngine on

        SSLProtocol -ALL +SSLv3 +TLSv1

        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile      /data/local/puppet/ssl/certs/puppetmaster.fqdn.pem

        SSLCertificateKeyFile   /data/local/puppet/ssl/private_keys/puppetmaster.fqdn.pem

        SSLCertificateChainFile /data/local/puppet/ssl/ca/ca_crt.pem

        SSLCACertificateFile    /data/local/puppet/ssl/ca/ca_crt.pem

        # If Apache complains about invalid signatures on the CRL, you can try disabling

        # CRL checking by commenting the next line, but this is not recommended.

        SSLCARevocationFile     /data/local/puppet/ssl/ca/ca_crl.pem

        SSLVerifyClient         optional

        SSLVerifyDepth          1

        # The `ExportCertData` option is needed for agent certificate expiration warnings

        SSLOptions              +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy

        # RequestHeader unset X-Forwarded-For

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e

        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e

        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        RackAutoDetect  On

        DocumentRoot /var/www/puppetmaster/public/

        RackBaseURI /

        <Directory /var/www/puppetmaster/>

                Options None

                AllowOverride None

                Order allow,deny

                allow from all

        </Directory>

</VirtualHost>

--

So any clue?

Regards,

JM

[Eric Sorenson]

Hi JM, this sounds like a real problem that was probably introduced with our code to start warning on certificates close to their expiration dates.

(#7962) 

https://github.com/puppetlabs/puppet/commit/12d81c7ef97167f1831143ff0037ae9a3970960d

I created a ticket for this issue: https://projects.puppetlabs.com/issues/16769

Can you please update the ticket with more information about your environment?

- what version of passenger?

- what version of apache?

Thanks!

[Antidot SAS]

Hi I have filled out the ticket, let me know if something is missing.

Regards,

JM

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ap55DPU-uRsJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.