SSLVerifyClient required with Apache+Mongrel

[Héctor Rivas Gándara]

Hello,

In the wiki "Using_Mongrel"
http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel
it proposes a configuration with the option:

SSLVerifyClient require

But with this option set I am not able to register new clients. When I
run a new puppet client, I get the error:

warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: SSL_connect returned=1 errno=0
state=SSLv3 read finished A: sslv3 alert handshake failure

And in the puppetmaster I do not get the client certificate request to sign it.

But if I set in apache configuration:

SSLVerifyClient optional

client is able to establish SSL connection and the certificate request
can be signed from puppetmaster.

How is the correct setting? Is "SSLVerifyClient optional" correct or
should be "requiered"?

--
Atentamente
Héctor Rivas

[Ohad Levy]

by enabling require, you basically say - the client is already suppose to have a certificate that I could verify.

You can either, set the different certificate request path to not require verification, or disable it (unless you have another ca server or another way of distributing the certificates).

Ohad

2010/9/6 Héctor Rivas Gándara <key...@gmail.com>

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[Héctor Rivas Gándara]

On Mon, Sep 6, 2010 at 12:52 PM, Ohad Levy <ohad...@gmail.com> wrote:

>> But if I set in apache configuration:
>>
>> SSLVerifyClient optional
>>
>> client is able to establish SSL connection and the certificate request
>> can be signed from puppetmaster.

> by enabling require, you basically say - the client is already suppose to

> have a certificate that I could verify.
> You can either, set the different certificate request path to not require
> verification, or disable it (unless you have another ca server or another
> way of distributing the certificates).

So using "optional" will simulate the behaviour of an default
standalone puppetmaster (without apache). Don't it?

--
Atentamente
Héctor Rivas

[Ohad Levy]

Yes

2010/9/6 Héctor Rivas Gándara <key...@gmail.com>

On Mon, Sep 6, 2010 at 12:52 PM, Ohad Levy <ohad...@gmail.com> wrote:

--
Atentamente
Héctor Rivas

[Thomas Guthmann]

Hi,

There is no (real) point of using SSLVerifyClient Require...

I encountered the same problem when I started to use Puppet (2.6.0).
When you have no real knowledge about Puppet, it takes some time to
understand the whole shebang and it's even more confusing when the
documentation tend to be wrong.

Indeed as you can see [1], all the "howto use mongrel" have the same
mistake in the configuration. It should definitely say :
SSLVerifyClient optional
and __not__
SSLVerifyClient require

Otherwise a client cannot register for a signed certificate. And
obviously nothing will work and people will rollback to Webrick.

So whoever can modify the wiki pages, do it. You will be seen as a hero
for all the future puppet users coming ;) And thanks H�ctor for asking,
I wanted to send an email about that but I forgot, your email acted as a
reminder ;)

Cheers,
Thomas

[1] http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel

[Héctor Rivas Gándara]

> So whoever can modify the wiki pages, do it. You will be seen as a hero for

> all the future puppet users coming ;) And thanks Héctor for asking, I wanted

> to send an email about that but I forgot, your email acted as a reminder ;)

Actually I changed the wiki adding the comments of this thread :)

(authenticated users can edit pages).

--
Atentamente
Héctor Rivas