Puppet users - Oct 2012 - puppet 3.0 with passenger

Hi everyone,

I am trying to setup puppet 3.0 with passenger since this morning, it is a
really painful for me.

I am using the directive:
        SSLOptions              +StdEnvVars +ExportCertData


No problem, but when putting ''+ExportCertData'', I am unable to
autosign or
revoke remotely any certificate I have the following error:
info: Creating a new SSL key for linux-install.fqdn
err: Could not request certificate: Error 400 on SERVER: header too long
Exiting; failed to retrieve certificate and waitforcert is disabled

When using only:
        SSLOptions              +StdEnvVars

Everything works perfectly.


So here is the apache configuration file:
--
# you probably want to tune these settings
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
PassengerHighPerformance on

Listen 8140

<VirtualHost *:8140>
        ServerName puppetmaster.fqdn
        ServerAlias puppetmaster

        ErrorLog /var/log/apache2/puppetmaster_error.log
        LogLevel warn
        SetEnvIf Remote_Addr "::1" dontlog
        CustomLog /var/log/apache2/puppetmaster_access.log combined
env=!dontlog

        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile
 /data/local/puppet/ssl/certs/puppetmaster.fqdn.pem
        SSLCertificateKeyFile
/data/local/puppet/ssl/private_keys/puppetmaster.fqdn.pem
        SSLCertificateChainFile /data/local/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /data/local/puppet/ssl/ca/ca_crt.pem
        # If Apache complains about invalid signatures on the CRL, you can
try disabling
        # CRL checking by commenting the next line, but this is not
recommended.
        SSLCARevocationFile     /data/local/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient         optional
        SSLVerifyDepth          1
        # The `ExportCertData` option is needed for agent certificate
expiration warnings
        SSLOptions              +StdEnvVars +ExportCertData

        # This header needs to be set if using a loadbalancer or proxy
        # RequestHeader unset X-Forwarded-For

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        RackAutoDetect  On

        DocumentRoot /var/www/puppetmaster/public/
        RackBaseURI /
        <Directory /var/www/puppetmaster/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>
--


So any clue?


Regards,
JM

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi JM, this sounds like a real problem that was probably introduced with 
our code to start warning on certificates close to their expiration dates.

(#7962) 

https://github.com/puppetlabs/puppet/commit/12d81c7ef97167f1831143ff0037ae9a3970960d

I created a ticket for this 
issue: https://projects.puppetlabs.com/issues/16769

Can you please update the ticket with more information about your 
environment?

- what version of passenger?
- what version of apache?

Thanks!

On Tuesday, October 2, 2012 7:07:32 AM UTC-7, A_SAAS
wrote:
>
> Hi everyone,
>
> I am trying to setup puppet 3.0 with passenger since this morning, it is a 
> really painful for me.
>
> I am using the directive:
>         SSLOptions              +StdEnvVars +ExportCertData
>
>
> No problem, but when putting ''+ExportCertData'', I am
unable to autosign or
> revoke remotely any certificate I have the following error:
> info: Creating a new SSL key for linux-install.fqdn
> err: Could not request certificate: Error 400 on SERVER: header too long
> Exiting; failed to retrieve certificate and waitforcert is disabled
>
> When using only:
>         SSLOptions              +StdEnvVars
>
> Everything works perfectly.
>
>
> So here is the apache configuration file:
> --
> # you probably want to tune these settings
> PassengerMaxPoolSize 12
> PassengerPoolIdleTime 1500
> # PassengerMaxRequests 1000
> PassengerStatThrottleRate 120
> RackAutoDetect Off
> RailsAutoDetect Off
> PassengerHighPerformance on
>
> Listen 8140
>
> <VirtualHost *:8140>
>         ServerName puppetmaster.fqdn
>         ServerAlias puppetmaster
>
>         ErrorLog /var/log/apache2/puppetmaster_error.log
>         LogLevel warn
>         SetEnvIf Remote_Addr "::1" dontlog
>         CustomLog /var/log/apache2/puppetmaster_access.log combined 
> env=!dontlog
>
>         SSLEngine on
>         SSLProtocol -ALL +SSLv3 +TLSv1
>         SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>
>         SSLCertificateFile     
>  /data/local/puppet/ssl/certs/puppetmaster.fqdn.pem
>         SSLCertificateKeyFile   
> /data/local/puppet/ssl/private_keys/puppetmaster.fqdn.pem
>         SSLCertificateChainFile /data/local/puppet/ssl/ca/ca_crt.pem
>         SSLCACertificateFile    /data/local/puppet/ssl/ca/ca_crt.pem
>         # If Apache complains about invalid signatures on the CRL, you can 
> try disabling
>         # CRL checking by commenting the next line, but this is not 
> recommended.
>         SSLCARevocationFile     /data/local/puppet/ssl/ca/ca_crl.pem
>         SSLVerifyClient         optional
>         SSLVerifyDepth          1
>         # The `ExportCertData` option is needed for agent certificate 
> expiration warnings
>         SSLOptions              +StdEnvVars +ExportCertData
>
>         # This header needs to be set if using a loadbalancer or proxy
>         # RequestHeader unset X-Forwarded-For
>
>         RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>         RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>         RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
>         RackAutoDetect  On
>
>         DocumentRoot /var/www/puppetmaster/public/
>         RackBaseURI /
>         <Directory /var/www/puppetmaster/>
>                 Options None
>                 AllowOverride None
>                 Order allow,deny
>                 allow from all
>         </Directory>
> </VirtualHost>
> --
>
>
> So any clue?
>
>
> Regards,
> JM
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/ap55DPU-uRsJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi I have filled out the ticket, let me know if something is missing.

Regards,
JM

On Thu, Oct 4, 2012 at 1:07 AM, Eric Sorenson
<eric.sorenson@puppetlabs.com>wrote:
> Hi JM, this sounds like a real problem that was probably introduced with
> our code to start warning on certificates close to their expiration dates.
>
> (#7962)
>
>
>
https://github.com/puppetlabs/puppet/commit/12d81c7ef97167f1831143ff0037ae9a3970960d
>
> I created a ticket for this issue:
> https://projects.puppetlabs.com/issues/16769
>
> Can you please update the ticket with more information about your
> environment?
>
> - what version of passenger?
> - what version of apache?
>
> Thanks!
>
>
> On Tuesday, October 2, 2012 7:07:32 AM UTC-7, A_SAAS wrote:
>>
>> Hi everyone,
>>
>> I am trying to setup puppet 3.0 with passenger since this morning, it
is
>> a really painful for me.
>>
>> I am using the directive:
>>         SSLOptions              +StdEnvVars +ExportCertData
>>
>>
>> No problem, but when putting ''+ExportCertData'', I am
unable to autosign
>> or revoke remotely any certificate I have the following error:
>> info: Creating a new SSL key for linux-install.fqdn
>> err: Could not request certificate: Error 400 on SERVER: header too
long
>> Exiting; failed to retrieve certificate and waitforcert is disabled
>>
>> When using only:
>>         SSLOptions              +StdEnvVars
>>
>> Everything works perfectly.
>>
>>
>> So here is the apache configuration file:
>> --
>> # you probably want to tune these settings
>> PassengerMaxPoolSize 12
>> PassengerPoolIdleTime 1500
>> # PassengerMaxRequests 1000
>> PassengerStatThrottleRate 120
>> RackAutoDetect Off
>> RailsAutoDetect Off
>> PassengerHighPerformance on
>>
>> Listen 8140
>>
>> <VirtualHost *:8140>
>>         ServerName puppetmaster.fqdn
>>         ServerAlias puppetmaster
>>
>>         ErrorLog /var/log/apache2/puppetmaster_**error.log
>>         LogLevel warn
>>         SetEnvIf Remote_Addr "::1" dontlog
>>         CustomLog /var/log/apache2/puppetmaster_**access.log combined
>> env=!dontlog
>>
>>         SSLEngine on
>>         SSLProtocol -ALL +SSLv3 +TLSv1
>>         SSLCipherSuite
ALL:!ADH:RC4+RSA:+HIGH:+**MEDIUM:-LOW:-SSLv2:-EXP
>>
>>         SSLCertificateFile      /data/local/puppet/ssl/certs/**
>> puppetmaster.fqdn.pem
>>         SSLCertificateKeyFile   /data/local/puppet/ssl/**
>> private_keys/puppetmaster.**fqdn.pem
>>         SSLCertificateChainFile /data/local/puppet/ssl/ca/ca_**crt.pem
>>         SSLCACertificateFile    /data/local/puppet/ssl/ca/ca_**crt.pem
>>         # If Apache complains about invalid signatures on the CRL, you
>> can try disabling
>>         # CRL checking by commenting the next line, but this is not
>> recommended.
>>         SSLCARevocationFile     /data/local/puppet/ssl/ca/ca_**crl.pem
>>         SSLVerifyClient         optional
>>         SSLVerifyDepth          1
>>         # The `ExportCertData` option is needed for agent certificate
>> expiration warnings
>>         SSLOptions              +StdEnvVars +ExportCertData
>>
>>         # This header needs to be set if using a loadbalancer or proxy
>>         # RequestHeader unset X-Forwarded-For
>>
>>         RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>>         RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>>         RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>>
>>         RackAutoDetect  On
>>
>>         DocumentRoot /var/www/puppetmaster/public/
>>         RackBaseURI /
>>         <Directory /var/www/puppetmaster/>
>>                 Options None
>>                 AllowOverride None
>>                 Order allow,deny
>>                 allow from all
>>         </Directory>
>> </VirtualHost>
>> --
>>
>>
>> So any clue?
>>
>>
>> Regards,
>> JM
>>
>>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/ap55DPU-uRsJ.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.