The issue I ran into that caused problems was the following
Puppet 2.7.14 for some reason on my environment sets the keylength by default to 4096. F5 LTM on at least 10.1 version can not support anything more than 2048 for both the cert on the F5 and the client cert for authentication the LTM will allow you to add the certificate but not apply to the SSL profile. The client ssl cert that each puppet agent sends if its greater than 2048 will instantly receive a TCP RST, the request to the puppet master will be still sent for catalog compile. More detail here
http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12147.html on the SSL key issue and what is affected and not.
Additional changes were required but this is what my non-ssl (what the F5 is proxying requests) looks like:
# Apache Configuration
<VirtualHost *:18140>
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
RackBaseURI /
<Directory /usr/share/puppet/rack/puppetmasterd/public/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1
SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
SetEnvIf X-Forwarded-Proto "https" HTTPS=1
LogLevel error
ErrorLog "|/usr/sbin/cronolog /var/log/httpd/puppetmaster_error_log.%Y%m%d -l /var/log/httpd/puppetmaster_error_log"
CustomLog "|/usr/sbin/cronolog /var/log/httpd/puppetmaster_access_log.%Y%m%d -l /var/log/httpd/puppetmaster_access_log" combined
</VirtualHost>
The SSL port (8140) is following the standard guide for apache passenger but with this three lines (like the non-ssl)
SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1
SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1
SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1
Here is what the F5 specific configuration looks like, I substituted the IP addresses and some of the names because of my environment.
pool puppet {
lb method member least conn
monitor all gateway_icmp
}
virtual puppet {
snat automap
pool puppet
ip protocol tcp
rules R_PUPPETMASTERS
profiles {
http {}
puppet {
clientside
}
tcp {}
}
}
profile clientssl puppet {
defaults from clientssl
key "puppet.key"
cert "puppet.crt"
chain "puppetca.crt"
ca file "puppetca.crt"
client cert ca "puppetca.crt"
renegotiate enable
peer cert mode require
authenticate always
}
rule R_PUPPETMASTERS {
when HTTP_REQUEST {
HTTP::header insert "X-Forwarded-Proto" "https"
set cert_request 0
set path2 [URI::path [HTTP::uri] 2 2 ]
if { $path2 == "/certificate/" || $path2 == "/certificate_request/" } {
set cert_request 1
}
}
when HTTP_REQUEST_SEND {
if { $cert_request == 0}{
clientside {
if {[SSL::verify_result] == 0} {
HTTP::header insert "X-Client-Verify" "SUCCESS"
}
HTTP::header insert "X-Client-DN" /[X509::subject [SSL::cert 0]]
HTTP::header insert "X-SSL-Subject" /[X509::subject [SSL::cert 0]]
}
}
}
}
# end of F5 configuration
Hopefully this helps people who had similar issues that I had.