Puppet users - Sep 2010 - SSLVerifyClient required with Apache+Mongrel

Hello,

In the wiki "Using_Mongrel"
http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel
it proposes a configuration with the option:

SSLVerifyClient require

But with this option set I am not able to register new clients. When I
run a new puppet client, I get the error:

warning: peer certificate won''t be verified in this SSL session
err: Could not request certificate: SSL_connect returned=1 errno=0
state=SSLv3 read finished A: sslv3 alert handshake failure

And in the puppetmaster I do not get the client certificate request to sign it.

But if I set in apache configuration:

SSLVerifyClient optional

client is able to establish SSL connection and the certificate request
can be signed from puppetmaster.


How is the correct setting? Is "SSLVerifyClient optional" correct or
should be "requiered"?

--
Atentamente
Héctor Rivas

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

by enabling require, you basically say - the client is already suppose to
have a certificate that I could verify.

You can either, set the different certificate request path to not require
verification, or disable it (unless you have another ca server or another
way of distributing the certificates).

Ohad

2010/9/6 Héctor Rivas Gándara <keymon@gmail.com>
> Hello,
>
> In the wiki "Using_Mongrel"
> http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel
> it proposes a configuration with the option:
>
> SSLVerifyClient require
>
> But with this option set I am not able to register new clients. When I
> run a new puppet client, I get the error:
>
> warning: peer certificate won''t be verified in this SSL session
> err: Could not request certificate: SSL_connect returned=1 errno=0
> state=SSLv3 read finished A: sslv3 alert handshake failure
>
> And in the puppetmaster I do not get the client certificate request to sign
> it.
>
> But if I set in apache configuration:
>
> SSLVerifyClient optional
>
> client is able to establish SSL connection and the certificate request
> can be signed from puppetmaster.
>
>
> How is the correct setting? Is "SSLVerifyClient optional" correct
or
> should be "requiered"?
>
> --
> Atentamente
> Héctor Rivas
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Sep 6, 2010 at 12:52 PM, Ohad Levy <ohadlevy@gmail.com> wrote:
>> But if I set in apache configuration:
>>
>> SSLVerifyClient optional
>>
>> client is able to establish SSL connection and the certificate request
>> can be signed from puppetmaster.
> by enabling require, you basically say - the client is already suppose to
> have a certificate that I could verify.
> You can either, set the different certificate request path to not require
> verification, or disable it (unless you have another ca server or another
> way of distributing the certificates).
So using "optional" will simulate the behaviour of an default
standalone puppetmaster (without apache). Don''t it?

--
Atentamente
Héctor Rivas

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Yes

2010/9/6 Héctor Rivas Gándara <keymon@gmail.com>
> On Mon, Sep 6, 2010 at 12:52 PM, Ohad Levy <ohadlevy@gmail.com>
wrote:
>
> >> But if I set in apache configuration:
> >>
> >> SSLVerifyClient optional
> >>
> >> client is able to establish SSL connection and the certificate
request
> >> can be signed from puppetmaster.
>
> > by enabling require, you basically say - the client is already suppose
to
> > have a certificate that I could verify.
> > You can either, set the different certificate request path to not
require
> > verification, or disable it (unless you have another ca server or
another
> > way of distributing the certificates).
>
> So using "optional" will simulate the behaviour of an default
> standalone puppetmaster (without apache). Don''t it?
>
> --
> Atentamente
> Héctor Rivas
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

There is no (real) point of using SSLVerifyClient Require...

I encountered the same problem when I started to use Puppet (2.6.0). 
When you have no real knowledge about Puppet, it takes some time to 
understand the whole shebang and it''s even more confusing when the 
documentation tend to be wrong.

Indeed as you can see [1], all the "howto use mongrel" have the same 
mistake in the configuration. It should definitely say :
    SSLVerifyClient optional
and __not__
    SSLVerifyClient require

Otherwise a client cannot register for a signed certificate. And 
obviously nothing will work and people will rollback to Webrick.

So whoever can modify the wiki pages, do it. You will be seen as a hero 
for all the future puppet users coming ;) And thanks Héctor for asking, 
I wanted to send an email about that but I forgot, your email acted as a 
reminder ;)

Cheers,
Thomas

[1] http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> So whoever can modify the wiki pages, do it. You will be seen as a hero for
> all the future puppet users coming ;) And thanks Héctor for asking, I
wanted
> to send an email about that but I forgot, your email acted as a reminder ;)
Actually I changed the wiki adding the comments of this thread :)

(authenticated users can edit pages).

--
Atentamente
Héctor Rivas

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.