<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
Hi,<br>
<br>
i try to make puppet work with nginx. Since now i have used the how to
on<br>
<br>
<a class="moz-txt-link-freetext"
href="https://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx">https://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx</a><br>
<br>
<br>
the how to use <br>
<br>
ssl
on;<br>
ssl_certificate
/Library/Puppet/Generated/Server/SSL/host_cert.pem;<br>
ssl_certificate_key
/Library/Puppet/Generated/Server/SSL/host_key.pem;<br>
ssl_client_certificate
/Library/Puppet/Generated/Server/SSL/ca/ca_crt.pem;<br>
ssl_ciphers
SSLv2:-LOW:-EXPORT:RC4+RSA;<br>
ssl_session_cache
shared:SSL:8m;<br>
ssl_session_timeout 5m;<br>
<br>
<br>
i tried to match this with a debian install for the 3 first lines
with:<br>
<br>
ssl_certificate
/var/lib/puppet/ssl/certs/my.puppet.com.pem;<br>
ssl_certificate_key
/var/lib/puppet/ssl/private_keys/my.puppet.com.pem;<br>
ssl_client_certificate
/var/lib/puppet/ssl/ca/ca_crt.pem;<br>
<br>
Is that okay ?<br>
<br>
I can make a puppetd run on port 8141 and get the cert in puppetca then
sign it. After that i try again to run puppet on 8140 but i got:<br>
<br>
<br>
: Failed to generate additional resources during transaction:
Certificates were not trusted: hostname was not match with the server
certificate<br>
<br>
I run puppetmasterd in command line with daemonize=false (which works
only on the config file not on the command line by the way)<br>
<br>
/usr/sbin/puppetmasterd --ssl_client_header=HTTP_X_SSL_SUBJECT
--servertype=mongrel --masterport=18141
--pidfile=/var/run/puppet/puppetmasterd-18141.pid --debug <br>
<br>
but i got nothing at all to print when i launch puppet on the client
side so it seems it stops at nginx.<br>
<br>
<br>
<br>
the config is<br>
<br>
<blockquote> server {<br>
listen
8140;<br>
ssl_verify_client
on;<br>
root
/var/empty;<br>
access_log
on;<br>
##rewrite_log
on;<br>
<br>
#
Variables<br>
#
$ssl_client_s_dn returns line subject DN of client
certificate for established SSL-connection<br>
#
$ssl_client_i_dn returns line issuer DN of client certificate
for established SSL-connection<br>
<br>
location
/ {<br>
proxy_pass
<a class="moz-txt-link-freetext"
href="http://puppet-production">http://puppet-production</a>;<br>
proxy_redirect off;<br>
proxy_set_header
Host
$host;<br>
proxy_set_header
X-Real-IP
$remote_addr;<br>
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;<br>
proxy_set_header X-Client-Verify
SUCCESS;<br>
proxy_set_header
X-SSL-Subject $ssl_client_s_dn;<br>
proxy_set_header
X-SSL-Issuer $ssl_client_i_dn;<br>
}<br>
}<br>
<br>
server {<br>
listen
8141;<br>
ssl_verify_client
off;<br>
root
/var/empty;<br>
access_log
on;<br>
#rewrite_log
on;<br>
<br>
location
/ {<br>
proxy_pass
<a class="moz-txt-link-freetext"
href="http://puppet-production">http://puppet-production</a>;<br>
proxy_redirect off;<br>
proxy_set_header
Host
$host;<br>
proxy_set_header
X-Real-IP
$remote_addr;<br>
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;<br>
proxy_set_header X-Client-Verify
FAILURE;<br>
proxy_set_header
X-SSL-Subject $ssl_client_s_dn;<br>
proxy_set_header
X-SSL-Issuer $ssl_client_i_dn;<br>
}<br>
}<br>
<br>
</blockquote>
<br>
If any nginx guru or ssl person could help i do not see where this is
blocking.<br>
<br>
<br>
<br>
<br>
<div class="moz-signature">-- <br>
Cordialement,<br>
Ghislain </div>
<br>
<br>
--~--~---------~--~----~------------~-------~--~----~<br>
You received this message because you are subscribed to the Google Groups
"Puppet Users" group. <br> To post to this group, send
email to puppet-users@googlegroups.com <br> To unsubscribe from this
group, send email to puppet-users-unsubscribe@googlegroups.com <br> For
more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en <br>
-~----------~----~----~----~------~----~------~--~---<br>
</body>
</html>
<br>
biiip error found, i used --server=ip instead of --server=fqn. This works like a charm now it seems. ok now i go on foreach class convert it to module test end thanks :) -- Cordialement, Ghislain --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Hi> I can make a puppetd run on port 8141 and get the cert in puppetca then sign it. > After that i try again to run puppet on 8140 but i got:is this working for you? so you run x mongrel instances load balanced by nginx and one webrick on port 8141 to get the certs? i also thought about a setup like that but didn''t yet come to implement it and now just wondering if it actually works. greets pete --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Peter Meier a écrit :> Hi > > >> I can make a puppetd run on port 8141 and get the cert in puppetca then sign it. >> After that i try again to run puppet on 8140 but i got: >> > > is this working for you? so you run x mongrel instances load balanced by > nginx and one webrick on port 8141 to get the certs? >yes it runs fine, you have x puppetmasterd process running, each one use mongrel (not webrick). nginx balances the loads between them. To sign the cert you neeed the first time to use the alternate port.> i also thought about a setup like that but didn''t yet come to implement > it and now just wondering if it actually works. >it does for my test but i have not deployed for all the server as i am translating badly written recipe in a module only thing that works a lot better and at least i will not anymore search two hours where i put the dam sudoers template anymore. For now it manages ... 1 server... i will go to one hundred more (those are virtualized instances not real servers) soon. -- Cordialement, Ghislain --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Hi> yes it runs fine, you have x puppetmasterd process running, each one use > mongrel (not webrick). nginx balances the loads between them. To sign > the cert you neeed the first time to use the alternate port.hmm but the one that runs on port 8141 is running also mongrel? I thought that mongrel doesn''t understand anything with ssl, and as it is stated on: http://mongrel.rubyforge.org/wiki/FAQ also I think you have to run the process on port 8141 with webrick. or is doing puppetmaster here the ssl stuff? sorry just curious to understand everything correctly. greets pete --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Peter Meier a écrit :> Hi > > >> yes it runs fine, you have x puppetmasterd process running, each one use >> mongrel (not webrick). nginx balances the loads between them. To sign >> the cert you neeed the first time to use the alternate port. >> > > hmm but the one that runs on port 8141 is running also mongrel? I > thought that mongrel doesn''t understand anything with ssl, and as it is > stated on: http://mongrel.rubyforge.org/wiki/FAQ also I think you have > to run the process on port 8141 with webrick. or is doing puppetmaster > here the ssl stuff? >all the ssl is done by nginx. In the two case. nginx use one port where it requires client side certificate if this works it just tells puppet that the cert is okay and sends the request. The other port does not check the cert but send a certificate failure to puppet allowing the signing request to go through but nothing more as puppet stop there. ( at least this is how i understood it) regards, Ghislain. -- --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Hi> all the ssl is done by nginx. In the two case. nginx use one port where > it requires client side certificate if this works it just tells puppet > that the cert is okay and sends the request. > > The other port does not check the cert but send a certificate failure > to puppet allowing the signing request to go through but nothing more as > puppet stop there. > > ( at least this is how i understood it)ah yeah I see it now in the config. :) Yeah this makes then again sense. thanks! :) greets Pete --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---