Hello,
My configuration doesn''t work ! I can''t sign certificate with
puppetca
using mongrel + httpd.
OS : CentOS 5.3
puppet, puppetserver 0.25
httpd-2.2.3-22.el5.centos.1
httpd-devel-2.2.3-22.el5.centos.1
rubygem-mongrel_cluster-1.0.5-2.el5
rubygem-mongrel-1.0.1-6.el5
# cat /etc/httpd/conf.d/puppetmongrel.conf
Listen 8140
PidFile /var/run/puppet/balancer.pid
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule headers_module modules/mod_headers.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
<Proxy balancer://puppetmaster>
BalancerMember http://127.0.0.1:18140
BalancerMember http://127.0.0.1:18141
BalancerMember http://127.0.0.1:18142
BalancerMember http://127.0.0.1:18143
BalancerMember http://127.0.0.1:18144
BalancerMember http://127.0.0.1:18145
</Proxy>
<VirtualHost *:8140>
ServerName prodglv1
SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLCertificateFile /var/lib/puppet/ssl/certs/prodglv1.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/
prodglv1.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
<Location />
SetHandler balancer-manager
Order allow,deny
Allow from all
</Location>
ProxyPass / balancer://puppetmaster:8140/
ProxyPassReverse / balancer://puppetmaster:8140/
ProxyPreserveHost On
ProxyTimeout 120
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1
</VirtualHost>
# cat /etc/puppet.conf
[main]
# Where Puppet stores dynamic and growing data.
# The default value is ''/var/puppet''.
vardir = /var/lib/puppet
# The Puppet log directory.
# The default value is ''$vardir/log''.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is ''$vardir/run''.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is ''$confdir/ssl''.
ssldir = $vardir/ssl
autoflush = true
[puppetmasterd]
node_terminus = ldap
ldapserver = prodglv1
ldapbase = ou=test,c=fr
[dev]
modulepath = /etc/puppet/system/dev/modules:/etc/puppet/system/
default/modules
templatedir = /etc/puppet/system/dev/templates
# cat /etc/sysconfig/puppetmaster
PUPPETMASTER_MANIFEST=/etc/puppet/manifests/site.pp
PUPPETMASTER_LOG=/var/log/puppet/puppetmaster.log
PUPPETMASTER_PORTS=( 18140 18141 18142 18143 18144 18145 )
On my puppet Client myServer :
# service puppet once
warning: peer certificate won''t be verified in this SSL session
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:55:in
`deserialize'': Error 502 on SERVER: Proxy Error (Net::HTTPError)
from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in
`find''
from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:
198:in `find''
from /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find''
from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:175:in
`certificate''
from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:238:in
`wait_for_cert''
from /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:243:in
`run_setup''
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:216:in `run''
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:216:in `run''
from /usr/sbin/puppetSystemd:159
On my puppet server :
# tail -f /var/log/puppet/balancer_error.log
[Mon Mar 08 17:14:56 2010] [error] [client 192.168.0.203] (70014)End
of file found: proxy: error reading status line from remote server
127.0.0.1
[Mon Mar 08 17:14:56 2010] [error] [client 192.168.0.203] proxy: Error
reading from remote server returned by /topadSystem/certificate/
myServer
# tail -f /var/log/puppet/balancer_access.log
192.168.0.203 - - [08/Mar/2010:17:14:56 +0100] "GET /dev/certificate/
myServer HTTP/1.1" 502 534 "-" "-"
# tail -f /var/log/puppet/balancer_ssl_request.log
[08/Mar/2010:17:14:56 +0100] 192.168.0.203 TLSv1 RC4-SHA "GET /dev/
certificate/myServer HTTP/1.1" 534
I thinked that the SetEnv do the trick but it doesn''t...
What''s wrong ?
Thanks for any help
Charles
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.