puppet-server 0.4.1 - malformed DN provided by HTTP header x-client-dn
255 views
Skip to first unread message
Kevin DeGraaf
Dec 23, 2014, 2:15:27 PM12/23/14
to puppet...@googlegroups.com
Hello,
I am evaluating Puppet Enterprise 3.7.1, which includes puppet-server 0.4.1.
I am terminating SSL at an Nginx reverse proxy, using a configuration which works fine with the old Apache/Passenger stack:
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
/etc/puppetlabs/puppetserver/conf.d/webserver.conf:
[...]
client-auth : none
host : 0.0.0.0
port : 18140
[...]
/etc/puppetlabs/puppetserver/conf.d/master.conf:
master: {
allow-header-cert-info: true
}
/etc/puppetlabs/puppet/puppet.conf:
[...]
ssl_client_header = HTTP_X_CLIENT_DN
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
According to my reading of:
https://docs.puppetlabs.com/puppetserver/1.0/external_ssl_termination.html
https://docs.puppetlabs.com/references/3.7.latest/configuration.html#sslclientheader
... this should work, assuming the behavior didn't change from 0.4.1 to 1.0.
However, in /var/log/pe-puppetserver/puppetserver.log:
ERROR [p.s.r.request-handler-core] The DN '/CN=pe-agent.site' provided by the HTTP header 'x-client-dn' is malformed.
The listed DN appears to match the format given in the documentation ("
Thanks.
I am evaluating Puppet Enterprise 3.7.1, which includes puppet-server 0.4.1.
I am terminating SSL at an Nginx reverse proxy, using a configuration which works fine with the old Apache/Passenger stack:
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
/etc/puppetlabs/puppetserver/conf.d/webserver.conf:
[...]
client-auth : none
host : 0.0.0.0
port : 18140
[...]
/etc/puppetlabs/puppetserver/conf.d/master.conf:
master: {
allow-header-cert-info: true
}
/etc/puppetlabs/puppet/puppet.conf:
[...]
ssl_client_header = HTTP_X_CLIENT_DN
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
According to my reading of:
https://docs.puppetlabs.com/puppetserver/1.0/external_ssl_termination.html
https://docs.puppetlabs.com/references/3.7.latest/configuration.html#sslclientheader
... this should work, assuming the behavior didn't change from 0.4.1 to 1.0.
However, in /var/log/pe-puppetserver/puppetserver.log:
ERROR [p.s.r.request-handler-core] The DN '/CN=pe-agent.site' provided by the HTTP header 'x-client-dn' is malformed.
The listed DN appears to match the format given in the documentation ("
/CN=puppet.puppetlabs.com").
From here, authentication fails and the agent run explodes. Am I missing something?Thanks.
Justin May
Dec 29, 2014, 2:52:39 PM12/29/14
to puppet...@googlegroups.com
Hi Kevin,
We have identified this bug in JIRA as SERVER-213. Essentially, we currently only support the standard ',' separated DN's and not OpenSSL style '/' separated ones which are generated by Apache and NGNX. Hopefully we will have this fixed soon.
Thanks,
Justin
Kevin DeGraaf
Jan 4, 2015, 1:25:46 AM1/4/15
to puppet...@googlegroups.com
Justin,
Thanks! I have successfully worked around SERVER-213 with the following nginx hack:
if ($ssl_client_s_dn ~* "^/(CN=.+)$") {
set $ssl_client_s_dn $1;
}
Thanks! I have successfully worked around SERVER-213 with the following nginx hack:
if ($ssl_client_s_dn ~* "^/(CN=.+)$") {
set $ssl_client_s_dn $1;
}
stephan schultchen
Feb 23, 2015, 11:10:29 AM2/23/15
to puppet...@googlegroups.com
Hey,
for anyone who is using apache:
change:
for anyone who is using apache:
change:
RequestHeader set X-Client-DN "/CN=%{SSL_CLIENT_S_DN_CN}e"
to:
RequestHeader set X-Client-DN "CN=%{SSL_CLIENT_S_DN_CN}e"
in your puppet vhost
Reply all
Reply to author
Forward
0 new messages