thr3ads.net - Puppet users - [Puppet Users] NGINX [Aug 2008]

If this information is useful, please help other people find it:
Share via:

AJ Christensen (Fujin)

2008-Aug-05 00:19 UTC

[Puppet Users] NGINX

Anyone have a working NGINX configuration for Puppetmaster?

Regards,

AJ
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

James Turnbull

2008-Aug-05 02:27 UTC

head link

[Puppet Users] Re: NGINX

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AJ Christensen (Fujin) wrote:> Anyone have a working NGINX configuration for Puppetmaster?
> 
The one on the wiki doesn''t work?

http://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx

James


- --
Author of:
* Pulling Strings with Puppet
(http://www.amazon.com/gp/product/1590599780/)
* Pro Nagios 2.0
(http://www.amazon.com/gp/product/1590596099/)
* Hardening Linux
(http://www.amazon.com/gp/product/1590594444/)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIl7qG9hTGvAxC30ARAnr0AJsGvHYRAoEEj15ohph/9EeyQgc91QCg11En
wkrI9m3OiBB326LIi6moGf4=oBAr
-----END PGP SIGNATURE-----

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

2008-Aug-05 02:28 UTC

head link

[Puppet Users] Re: NGINX

James Turnbull wrote:> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> AJ Christensen (Fujin) wrote:
>   
>> Anyone have a working NGINX configuration for Puppetmaster?
>>
>>     
>
> The one on the wiki doesn''t work?
>
> http://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx
>   
Unfortuantely not.

Regards,

AJ

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Nigel Kersten

2008-Aug-05 03:19 UTC

head link

[Puppet Users] Re: NGINX

On Mon, Aug 4, 2008 at 7:28 PM, AJ <aj@junglist.gen.nz>
wrote:>
> James Turnbull wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> AJ Christensen (Fujin) wrote:
>>
>>> Anyone have a working NGINX configuration for Puppetmaster?
>>>
>>>
>>
>> The one on the wiki doesn''t work?
>>
>> http://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx
>>
>
> Unfortuantely not.
>
What''s not working? That was more of a proof of concept Jeff put
together when he and I started hunting around for alternatives to
Apache, but I did have it set up a couple of times and working.

That reminds me. I need to go update the Pound instructions as the
patch has been accepted upstream, but it''s a compile time option only
unfortunately....

-- 
Nigel Kersten
Systems Administrator
Tech Lead - MacOps

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

2008-Aug-05 03:36 UTC

head link

[Puppet Users] Re: NGINX

Nigel Kersten wrote:> On Mon, Aug 4, 2008 at 7:28 PM, AJ <aj@junglist.gen.nz> wrote:
>   
>> James Turnbull wrote:
>>     
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> AJ Christensen (Fujin) wrote:
>>>
>>>       
>>>> Anyone have a working NGINX configuration for Puppetmaster?
>>>>
>>>>
>>>>         
>>> The one on the wiki doesn''t work?
>>>
>>> http://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx
>>>
>>>       
>> Unfortuantely not.
>>
>>     
>
> What''s not working? That was more of a proof of concept Jeff put
> together when he and I started hunting around for alternatives to
> Apache, but I did have it set up a couple of times and working.
>
> That reminds me. I need to go update the Pound instructions as the
> patch has been accepted upstream, but it''s a compile time option
only
> unfortunately....
>
>   Everything (remote hosts) appear to come through as 127.0.0.1/localhost..:

Aug  5 15:35:10 puppet puppetmasterd[14164]: Denying unauthenticated 
client localhost(127.0.0.1) access to fileserver.list
Aug  5 15:35:10 puppet puppetmasterd[14186]: Denying unauthenticated 
client localhost(127.0.0.1) access to fileserver.list
Aug  5 15:35:10 puppet puppetmasterd[14208]: Denying unauthenticated 
client localhost(127.0.0.1) access to fileserver.list
Aug  5 15:35:10 puppet puppetmasterd[14142]: Denying unauthenticated 
client localhost(127.0.0.1) access to fileserver.list
Aug  5 15:35:10 puppet puppetmasterd[14164]: Denying unauthenticated 
client localhost(127.0.0.1) access to puppetmaster.getconfig
Aug  5 15:35:10 puppet puppetmasterd[14186]: Denying unauthenticated 
client localhost(127.0.0.1) access to puppetmaster.getconfig
Aug  5 15:35:10 puppet puppetmasterd[14208]: Denying unauthenticated 
client localhost(127.0.0.1) access to puppetmaster.getconfig

user puppet;
worker_processes  1;

error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

events {
  worker_connections  1024;
}

http {
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  access_log  /var/log/nginx/access.log;

  sendfile        on;

  keepalive_timeout  65;
  tcp_nodelay        on;

  gzip  on;

  ssl                     on;
  ssl_certificate         /var/lib/puppet/ssl/certs/puppet.pem;
  ssl_certificate_key     /var/lib/puppet/ssl/private_keys/puppet.pem;
  ssl_client_certificate  /var/lib/puppet/ssl/ca/ca_crt.pem;
  ssl_ciphers             SSLv2:-LOW:-EXPORT:RC4+RSA;
  ssl_session_cache       shared:SSL:8m;
  ssl_session_timeout     5m;

  upstream puppet {
    server 127.0.0.1:18140;
    server 127.0.0.1:18141;
    server 127.0.0.1:18142;
    server 127.0.0.1:18143;
  }

  server {
    listen                  8140;
    ssl_verify_client       on;
    root                    /var/empty;

    location / {
        proxy_pass          http://puppet;
        proxy_redirect      off;
        proxy_set_header    Host             $host;
        proxy_set_header    X-Real-IP        $remote_addr;
        proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header    X-Client-Verify  SUCCESS;
        proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
        proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
    }
  }
}


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

2008-Aug-05 03:46 UTC

head link

[Puppet Users] Re: NGINX

AJ wrote:> Nigel Kersten wrote:
>   
>> On Mon, Aug 4, 2008 at 7:28 PM, AJ <aj@junglist.gen.nz> wrote:
>>   
>>     
>>> James Turnbull wrote:
>>>     
>>>       
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> AJ Christensen (Fujin) wrote:
>>>>
>>>>       
>>>>         
>>>>> Anyone have a working NGINX configuration for Puppetmaster?
>>>>>
>>>>>
>>>>>         
>>>>>           
>>>> The one on the wiki doesn''t work?
>>>>
>>>> http://reductivelabs.com/trac/puppet/wiki/UsingMongrelNginx
>>>>
>>>>       
>>>>         
>>> Unfortuantely not.
>>>
>>>     
>>>       
>> What''s not working? That was more of a proof of concept Jeff
put
>> together when he and I started hunting around for alternatives to
>> Apache, but I did have it set up a couple of times and working.
>>
>> That reminds me. I need to go update the Pound instructions as the
>> patch has been accepted upstream, but it''s a compile time
option only
>> unfortunately....
>>
>>   
>>     
> Everything (remote hosts) appear to come through as 127.0.0.1/localhost..:
>   ...

The headers look OK, too:

2008/08/05 15:44:02 [debug] 15181#0: *7 http proxy header: "Accept:
*/*"
2008/08/05 15:44:02 [debug] 15181#0: *7 http proxy header: 
"Content-Type: text/xml; charset=utf-8"
2008/08/05 15:44:02 [debug] 15181#0: *7 http proxy header: "User-Agent: 
XMLRPC::Client (Ruby 1.8.6)"
2008/08/05 15:44:02 [debug] 15181#0: *7 http proxy header: 
"Content-Length: 2538"
2008/08/05 15:44:02 [debug] 15181#0: *7 http proxy header:
"POST /RPC2 HTTP/1.0
Host: puppet
*X-Real-IP: 210.55.105.193
X-Forwarded-For: 210.55.105.193*
X-Client-Verify: SUCCESS
X-SSL-Subject: /CN=ns1.maxnet.net.nz
X-SSL-Issuer: /CN=puppet.maxnet.net.nz
Connection: close
Accept: */*
Content-Type: text/xml; charset=utf-8
User-Agent: XMLRPC::Client (Ruby 1.8.6)
Content-Length: 2538

What the hell does Apache do, that nginx isn''t?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

2008-Aug-05 05:39 UTC

head link

[Puppet Users] Re: NGINX

Managed to get it working with certs that are pre-signed.

Unauthenticated/new clients behave differently:

root@netflowtest01:~# puppetd -t
info: Loading fact netmask
info: Loading fact acpi_available
info: Loading fact configured_ntp_servers
info: Loading fact interfaces
info: Creating a new certificate request for netflowtest01.maxnet.net.nz
info: Creating a new SSL key at 
/var/lib/puppet/ssl/private_keys/netflowtest01.maxnet.net.nz.pem
warning: peer certificate won''t be verified in this SSL session
err: Could not call puppetca.getcert: #<RuntimeError: HTTP-Error: 400 
Bad Request>
/usr/lib/ruby/1.8/puppet/network/client/ca.rb:31:in `request_cert'': 
Certificate retrieval failed: HTTP-Error: 400 Bad Request (Puppet::Error)
        from /usr/sbin/puppetd:356


2008/08/05 17:37:47 [info] 27453#0: *1 client sent no required SSL 
certificate while reading client request headers, client: 172.16.10.50, 
server: puppet, URL: "/RPC2", host: "puppet:8140"

But authenticated clients work correctly, this is probably due to the 
ssl_verify_client on; in nginx, as opposed to Optional in Apache?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Yazz D. Atlas

2008-Aug-06 07:01 UTC

head link

[Puppet Users] Re: NGINX

I''m also struggling to get nginx working.

The nginx.conf I''m using is very similar to both AJ''s and the
one on
the website. If I get a chance tomorrow I''ll clean up my test scripts  
and configs and share then but at the moment they are hardcoded for my  
environment.


---- Step 1) Puppet Server running WEBrick on port 8141----
[root@server ~]# ./test-puppetmaster.sh -s
+ puppetmasterd --verbose --masterport 8141 --no-daemonize
info: Starting server for Puppet version 0.24.4
info: mount[master-skel]: allowing 172.X.X.X/16 access
info: mount[master-skel]: allowing 172.X.X.X/16 access
info: Creating a new certificate request for server.example.com
info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/ 
server.example.com.pem
info: Signing certificate for CA server
info: Signing certificate for server.example.com
info: Listening on port 8141
notice: Starting Puppet server version 0.24.4
notice: Allowing unauthenticated client client.example.com(172.X.X.X)  
access to puppetca.getcert
info: Signing certificate for client.example.com

---- Step 2) Puppet Server running  Nginx  port 8140 => Mongrel port  
18140 ----
root@server ~]# ./test-puppetmaster.sh -m
2008/08/06 06:06:40 [info] 7857#0: the configuration file /etc/nginx/ 
nginx.conf syntax is ok
2008/08/06 06:06:40 [info] 7857#0: the configuration file /etc/nginx/ 
nginx.conf was tested successfully
Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]
+ puppetmasterd --verbose --no-daemonize --servertype=mongrel -- 
ssl_client_header=HTTP_X_SSL_SUBJECT -- 
ssl_client_verify_header=HTTP_X_CLIENT_VERIFY --ca_port 8141 -- 
masterport=18140
info: mount[master-skel]: allowing 172.X.X.X/16 access
info: mount[master-skel]: allowing 172.X.X.X/16 access
notice: Starting Puppet server version 0.24.4

---- Step 3) Client running puppetd ----
[root@client ~]# ./test-puppet-client.sh -t
+ puppetd --server server.example.com --verbose --waitforcert 10 --no- 
daemonize --fqdn client.example.com --ca_port 8141 --listen
info: Creating a new certificate request for client.example.com
info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/ 
client.example.com.pem
warning: peer certificate won''t be verified in this SSL session
notice: Got signed certificate
info: Starting handler for Runner
info: Starting server for Puppet version 0.24.4
info: Listening on port 8139
notice: Starting Puppet client version 0.24.4
err: Could not retrieve catalog: Certificates were not trusted:  
unknown protocol
err: Could not retrieve catalog: Certificates were not trusted:  
unknown protocol
err: Could not retrieve catalog: Certificates were not trusted:  
unknown protocol

As you can see its not working...


At OSCON someone mentioned that on official website were examples for  
having an F5 do the SSL proxy and balancing. I however couldn''t find  
any doc mentioning using an F5 load balancer. URL any one?

	-Yazz

On Aug 5, 2008, at 12:33 AM, Peter Meier wrote:
>
> Hi
>
> I have 2 working setups.
>
>> Aug  5 15:35:10 puppet puppetmasterd[14164]: Denying unauthenticated
>> client localhost(127.0.0.1) access to fileserver.list
>
> Your error looks for me that you don''t have set:
>
> ssl_client_header = HTTP_X_SSL_SUBJECT
>
> according to the docu.
>
>> What the hell does Apache do, that nginx isn''t?
>
> setting the SSL flag according to the verification. which it looks  
> like
> nginx can''t. but I didn''t examine this further as with
the 2 ports it
> works fine.
>
> please also note that you have to run clients without a cert against
> port 8141.
>
> the easiest thing is that you run your client with --ca_port 8141 ,
> which will setup all the certificate stuff over port 8141 and the rest
> with a correct signed cert over port 8140.
>
> you can ping me in irc.
>
> greets pete

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Peter Meier

2008-Aug-06 07:21 UTC

head link

[Puppet Users] Re: NGINX

Hi
> [...]
> ---- Step 3) Client running puppetd ----
> [root@client ~]# ./test-puppet-client.sh -t
> + puppetd --server server.example.com --verbose --waitforcert 10 --no- 
> daemonize --fqdn client.example.com --ca_port 8141 --listen
> info: Creating a new certificate request for client.example.com
> info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/ 
> client.example.com.pem
> warning: peer certificate won''t be verified in this SSL session
> notice: Got signed certificate
> info: Starting handler for Runner
> info: Starting server for Puppet version 0.24.4
> info: Listening on port 8139
> notice: Starting Puppet client version 0.24.4
> err: Could not retrieve catalog: Certificates were not trusted:  
> unknown protocol
> err: Could not retrieve catalog: Certificates were not trusted:  
> unknown protocol
> err: Could not retrieve catalog: Certificates were not trusted:  
> unknown protocol
> 
> As you can see its not working...
and the errors above indicate that it is a certificate problem. so maybe
some ssl setup problem in your nginx?

so this is my nginx-config (a bit obfuscated):

---

user  daemon daemon;
worker_processes  4;

error_log       /var/log/nginx-puppet.log notice;
pid             /var/run/nginx-puppet.pid;

events {
    worker_connections  1024;
}

http {
    # include /etc/mime.types;
    default_type  application/octet-stream;

    # no sendfile on OSX uncomment
    #this if your on linux or bsd
    sendfile        on;
    tcp_nopush      on;

    # Look at TLB size in /proc/cpuinfo (Linux) for the 4k pagesize
    large_client_header_buffers     16      4k;
    proxy_buffers                   128     4k;

    keepalive_timeout  250;
    tcp_nodelay        on;

    ssl                     on;
    ssl_certificate         /srv/puppet/ssl/certs/puppet.example.com.pem;
    ssl_certificate_key
/srv/puppet/ssl/private_keys/puppet.example.com.pem;
    ssl_client_certificate  /srv/puppet/ssl/ca/ca_crt.pem;
    ssl_ciphers             SSLv2:-LOW:-EXPORT:RC4+RSA;
    ssl_session_cache       shared:SSL:8m;
    ssl_session_timeout     5m;

    upstream puppet-production {
        server 127.0.0.1:18140;
        server 127.0.0.1:18141;
        server 127.0.0.1:18142;
        server 127.0.0.1:18143;
    }

    # working port
    server {
        listen                  8140;
        ssl_verify_client       on;
        root                    /var/empty;
        access_log              on;
        rewrite_log             on;

        # Variables
        # $ssl_cipher returns the line of those utilized it is cipher
for established SSL-connection
        # $ssl_client_serial returns the series number of client
certificate for established SSL-connection
        # $ssl_client_s_dn returns line subject DN of client certificate
for established SSL-connection
        # $ssl_client_i_dn returns line issuer DN of client certificate
for established SSL-connection
        # $ssl_protocol returns the protocol of established SSL-connection

        location / {
            proxy_pass          http://puppet-production;
            proxy_redirect      off;
            proxy_set_header    Host             $host;
            proxy_set_header    X-Real-IP        $remote_addr;
            proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header    X-Client-Verify  SUCCESS;
            proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
            proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
            proxy_read_timeout  300;
        }
    }

    # port to sign
    server {
        listen                  8141;
        ssl_verify_client       off;
        root                    /var/empty;
        access_log              on;
        rewrite_log             on;

        location / {
            proxy_pass  http://puppet-production;
            proxy_redirect     off;
            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header   X-Client-Verify  FAILURE;
            proxy_set_header   X-SSL-Subject    $ssl_client_s_dn;
            proxy_set_header   X-SSL-Issuer     $ssl_client_i_dn;
            proxy_read_timeout 300;
        }
    }

}

---

and in the puppetmaster config I only set additionaly:

ssl_client_header = HTTP_X_SSL_SUBJECT

and nothing more.

and I''m starting my puppetmaster with the following init.d script:

http://github.com/duritong/puppet-puppet/tree/master/files/cluster/init.d/puppetmaster.CentOS

so it only adds --masterport=1814X and --servertype=mongrel

this is working fine for me.

what do your nginx-logs tell?

greets pete

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Yazz Atlas

2008-Aug-06 08:04 UTC

head link

[Puppet Users] Re: NGINX

Yep my nginx config had error on.  I had a simple typo but now I
understand a little better. I didn''t need to run a second
puppetmasterd on port 8141. I''m using Centos and to keep things clean
I''m using /etc/nginx/conf.d/puppet.conf.  I got it working now in my
test setup. Thanks!!

  -Yazz

# ---- /etc/nginx/conf.d/puppet.conf ----
    # SSL Cert setup
        ssl_certificate         /var/lib/puppet/ssl/certs/
server.example.com.pem ;
        ssl_certificate_key     /var/lib/puppet/ssl/private_keys/
server.example.com.pem;
        ssl_client_certificate  /var/lib/puppet/ssl/ca/ca_crt.pem;
        ssl_ciphers             SSLv2:-LOW:-EXPORT:RC4+RSA;
        ssl_session_cache       shared:SSL:8m;
        ssl_session_timeout     5m;

    # Just add more server:port to load balance more
    upstream puppet-production {
        server 127.0.0.1:18140;
    }

    upstream puppet-cert-sign {
        server 127.0.0.1:18140;
    }

    server {
        listen                  8140;
        server_name             server.example.com ;
        ssl on;
        ssl_verify_client       on;

        root                    /var/empty;
        access_log              on;
        rewrite_log             on;

        location / {
            proxy_pass          http://puppet-production;
            proxy_redirect      off;
            proxy_set_header    Host             $host;
            proxy_set_header    X-Real-IP        $remote_addr;
            proxy_set_header    X-Forwarded-For
$proxy_add_x_forwarded_for;
            proxy_set_header    X-Client-Verify  SUCCESS;
            proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
            proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;

        }
    }

    server {
        # Sign Certs on this port
        listen                  8141;
        server_name             server.example.com ;
        ssl on;
        ssl_verify_client       off; # <<-- Important to set to
"off"

        root                    /var/empty;
        access_log              on;
        rewrite_log             on;

        location / {
            proxy_pass          http://puppet-cert-sign;
            proxy_redirect      off;
            proxy_set_header    Host             $host;
            proxy_set_header    X-Real-IP        $remote_addr;
            proxy_set_header    X-Forwarded-For
$proxy_add_x_forwarded_for;
            proxy_set_header    X-Client-Verify  SUCCESS;
            proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
            proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;

        }
    }


On Aug 6, 12:21 am, Peter Meier <peter.me...@immerda.ch>
wrote:> Hi
>
>
>
>
>
> > [...]
> > ---- Step 3) Client running puppetd ----
> > [root@client ~]# ./test-puppet-client.sh -t
> > + puppetd --server server.example.com --verbose --waitforcert 10 --no-
> > daemonize --fqdn client.example.com --ca_port 8141 --listen
> > info: Creating a new certificate request for client.example.com
> > info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/
> > client.example.com.pem
> > warning: peer certificate won''t be verified in this SSL
session
> > notice: Got signed certificate
> > info: Starting handler for Runner
> > info: Starting server for Puppet version 0.24.4
> > info: Listening on port 8139
> > notice: Starting Puppet client version 0.24.4
> > err: Could not retrieve catalog: Certificates were not trusted:  
> > unknown protocol
> > err: Could not retrieve catalog: Certificates were not trusted:  
> > unknown protocol
> > err: Could not retrieve catalog: Certificates were not trusted:  
> > unknown protocol
>
> > As you can see its not working...
>
> and the errors above indicate that it is a certificate problem. so maybe
> some ssl setup problem in your nginx?
>
> so this is my nginx-config (a bit obfuscated):
>
> ---
>
> user  daemon daemon;
> worker_processes  4;
>
> error_log       /var/log/nginx-puppet.log notice;
> pid             /var/run/nginx-puppet.pid;
>
> events {
>     worker_connections  1024;
>
> }
>
> http {
>     # include /etc/mime.types;
>     default_type  application/octet-stream;
>
>     # no sendfile on OSX uncomment
>     #this if your on linux or bsd
>     sendfile        on;
>     tcp_nopush      on;
>
>     # Look at TLB size in /proc/cpuinfo (Linux) for the 4k pagesize
>     large_client_header_buffers     16      4k;
>     proxy_buffers                   128     4k;
>
>     keepalive_timeout  250;
>     tcp_nodelay        on;
>
>     ssl                     on;
>     ssl_certificate         /srv/puppet/ssl/certs/puppet.example.com.pem;
>     ssl_certificate_key
> /srv/puppet/ssl/private_keys/puppet.example.com.pem;
>     ssl_client_certificate  /srv/puppet/ssl/ca/ca_crt.pem;
>     ssl_ciphers             SSLv2:-LOW:-EXPORT:RC4+RSA;
>     ssl_session_cache       shared:SSL:8m;
>     ssl_session_timeout     5m;
>
>     upstream puppet-production {
>         server 127.0.0.1:18140;
>         server 127.0.0.1:18141;
>         server 127.0.0.1:18142;
>         server 127.0.0.1:18143;
>     }
>
>     # working port
>     server {
>         listen                  8140;
>         ssl_verify_client       on;
>         root                    /var/empty;
>         access_log              on;
>         rewrite_log             on;
>
>         # Variables
>         # $ssl_cipher returns the line of those utilized it is cipher
> for established SSL-connection
>         # $ssl_client_serial returns the series number of client
> certificate for established SSL-connection
>         # $ssl_client_s_dn returns line subject DN of client certificate
> for established SSL-connection
>         # $ssl_client_i_dn returns line issuer DN of client certificate
> for established SSL-connection
>         # $ssl_protocol returns the protocol of established SSL-connection
>
>         location / {
>             proxy_pass          http://puppet-production;
>             proxy_redirect      off;
>             proxy_set_header    Host             $host;
>             proxy_set_header    X-Real-IP        $remote_addr;
>             proxy_set_header    X-Forwarded-For
 $proxy_add_x_forwarded_for;
>             proxy_set_header    X-Client-Verify  SUCCESS;
>             proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
>             proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
>             proxy_read_timeout  300;
>         }
>     }
>
>     # port to sign
>     server {
>         listen                  8141;
>         ssl_verify_client       off;
>         root                    /var/empty;
>         access_log              on;
>         rewrite_log             on;
>
>         location / {
>             proxy_pass  http://puppet-production;
>             proxy_redirect     off;
>             proxy_set_header   Host             $host;
>             proxy_set_header   X-Real-IP        $remote_addr;
>             proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
>             proxy_set_header   X-Client-Verify  FAILURE;
>             proxy_set_header   X-SSL-Subject    $ssl_client_s_dn;
>             proxy_set_header   X-SSL-Issuer     $ssl_client_i_dn;
>             proxy_read_timeout 300;
>         }
>     }
>
> }
>
> ---
>
> and in the puppetmaster config I only set additionaly:
>
> ssl_client_header = HTTP_X_SSL_SUBJECT
>
> and nothing more.
>
> and I''m starting my puppetmaster with the following init.d script:
>
> http://github.com/duritong/puppet-puppet/tree/master/files/cluster/in...
>
> so it only adds --masterport=1814X and --servertype=mongrel
>
> this is working fine for me.
>
> what do your nginx-logs tell?
>
> greets pete--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Puppet users - Aug 2008 - NGINX

[Puppet Users] NGINX

[Puppet Users] Re: NGINX

[Puppet Users] Re: NGINX

[Puppet Users] Re: NGINX

[Puppet Users] Re: NGINX

[Puppet Users] Re: NGINX

[Puppet Users] Re: NGINX

[Puppet Users] Re: NGINX

[Puppet Users] Re: NGINX

[Puppet Users] Re: NGINX