nginx config
ADNET Ghislain
i try to make puppet work with nginx. Since now i have used the how to on
https://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx
the how to use
ssl on;
ssl_certificate /Library/Puppet/Generated/Server/SSL/host_cert.pem;
ssl_certificate_key /Library/Puppet/Generated/Server/SSL/host_key.pem;
ssl_client_certificate /Library/Puppet/Generated/Server/SSL/ca/ca_crt.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_session_cache shared:SSL:8m;
ssl_session_timeout 5m;
i tried to match this with a debian install for the 3 first lines with:
ssl_certificate /var/lib/puppet/ssl/certs/my.puppet.com.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/my.puppet.com.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
Is that okay ?
I can make a puppetd run on port 8141 and get the cert in puppetca then sign it. After that i try again to run puppet on 8140 but i got:
: Failed to generate additional resources during transaction: Certificates were not trusted: hostname was not match with the server certificate
I run puppetmasterd in command line with daemonize=false (which works only on the config file not on the command line by the way)
/usr/sbin/puppetmasterd --ssl_client_header=HTTP_X_SSL_SUBJECT --servertype=mongrel --masterport=18141 --pidfile=/var/run/puppet/puppetmasterd-18141.pid --debug
but i got nothing at all to print when i launch puppet on the client side so it seems it stops at nginx.
the config is
server {
listen 8140;
ssl_verify_client on;
root /var/empty;
access_log on;
##rewrite_log on;
# Variables
# $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection
# $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection
location / {
proxy_pass http://puppet-production;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify SUCCESS;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
}
}
server {
listen 8141;
ssl_verify_client off;
root /var/empty;
access_log on;
#rewrite_log on;
location / {
proxy_pass http://puppet-production;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify FAILURE;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
}
}
If any nginx guru or ssl person could help i do not see where this is blocking.
Cordialement,
Ghislain
ADNET Ghislain
i used --server=ip instead of --server=fqn. This works like a charm now
it seems.
ok now i go on
foreach class
convert it to module
test
end
thanks :)
--
Cordialement,
Ghislain
Peter Meier
> I can make a puppetd run on port 8141 and get the cert in puppetca then sign it.
> After that i try again to run puppet on 8140 but i got:
is this working for you? so you run x mongrel instances load balanced by
nginx and one webrick on port 8141 to get the certs?
i also thought about a setup like that but didn't yet come to implement
it and now just wondering if it actually works.
greets pete
ADNET Ghislain
> Hi
>
>
>> I can make a puppetd run on port 8141 and get the cert in puppetca then sign it.
>> After that i try again to run puppet on 8140 but i got:
>>
>
> is this working for you? so you run x mongrel instances load balanced by
> nginx and one webrick on port 8141 to get the certs?
>
yes it runs fine, you have x puppetmasterd process running, each one use
mongrel (not webrick). nginx balances the loads between them. To sign
the cert you neeed the first time to use the alternate port.
> i also thought about a setup like that but didn't yet come to implement
> it and now just wondering if it actually works.
>
it does for my test but i have not deployed for all the server as i am
translating badly written recipe in a module only thing that works a lot
better and at least i will not anymore search two hours where i put the
dam sudoers template anymore. For now it manages ... 1 server... i will
go to one hundred more (those are virtualized instances not real
servers) soon.
--
Cordialement,
Ghislain
Peter Meier
> yes it runs fine, you have x puppetmasterd process running, each one use
> mongrel (not webrick). nginx balances the loads between them. To sign
> the cert you neeed the first time to use the alternate port.
hmm but the one that runs on port 8141 is running also mongrel? I
thought that mongrel doesn't understand anything with ssl, and as it is
stated on: http://mongrel.rubyforge.org/wiki/FAQ also I think you have
to run the process on port 8141 with webrick. or is doing puppetmaster
here the ssl stuff?
sorry just curious to understand everything correctly.
greets pete
ADNET Ghislain
> Hi
>
>
>> yes it runs fine, you have x puppetmasterd process running, each one use
>> mongrel (not webrick). nginx balances the loads between them. To sign
>> the cert you neeed the first time to use the alternate port.
>>
>
> hmm but the one that runs on port 8141 is running also mongrel? I
> thought that mongrel doesn't understand anything with ssl, and as it is
> stated on: http://mongrel.rubyforge.org/wiki/FAQ also I think you have
> to run the process on port 8141 with webrick. or is doing puppetmaster
> here the ssl stuff?
>
it requires client side certificate if this works it just tells puppet
that the cert is okay and sends the request.
The other port does not check the cert but send a certificate failure
to puppet allowing the signing request to go through but nothing more as
puppet stop there.
( at least this is how i understood it)
regards,
Ghislain.
--
Peter Meier
> all the ssl is done by nginx. In the two case. nginx use one port where
> it requires client side certificate if this works it just tells puppet
> that the cert is okay and sends the request.
>
> The other port does not check the cert but send a certificate failure
> to puppet allowing the signing request to go through but nothing more as
> puppet stop there.
>
> ( at least this is how i understood it)
ah yeah I see it now in the config. :) Yeah this makes then again sense.
thanks! :)
greets Pete