Puppet users - Dec 2010 - Unknown protocol since migration to Passenger

Puppet is working perfectly with WEBRick,
but not with my passenger setup.

The error I receive:
Could not retrieve catalog from remote server: unknown protocol

But the puppet client on the puppetmaster itself is working perfectly.
So I guess this is a certificate issue?

Versions:
--------------
RHEL 5.5

puppet 2.6.4
rack 1.0.1
passenger 2.2.11

Config apache
---------------------
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/
passenger-2.2.11/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-2.2.11
PassengerRuby /usr/bin/ruby

# you probably want to tune these settings

PassengerHighPerformance on
PassengerMaxPoolSize 15
PassengerPoolIdleTime 300
PassengerMaxRequests 10000
PassengerStatThrottleRate 120
PassengerUseGlobalQueue on
RackAutoDetect On
RailsAutoDetect Off

Listen 8140

<VirtualHost *:8140>
        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile      /var/lib/puppet/ssl/certs/
admblockum05.msnet.railb.be.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/
admblockum05.msnet.railb.be.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
        # If Apache complains about invalid signatures on the CRL, you
can try disabling
        # CRL checking by commenting the next line, but this is not
recommended.
        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient optional
        SSLVerifyDepth  1
        SSLOptions +StdEnvVars

        DocumentRoot /etc/puppet/rack/public/
        RackBaseURI /
        <Directory /etc/puppet/rack/>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Dec 13, 2010, at 4:55 AM, PieterB wrote:
> Puppet is working perfectly with WEBRick,
> but not with my passenger setup.
> 
> The error I receive:
> Could not retrieve catalog from remote server: unknown protocol
> 
> But the puppet client on the puppetmaster itself is working perfectly.
> So I guess this is a certificate issue?
> 
Is there anything in the logs at /var/log/puppet or /var/log/apache

What do you get if you point a webbrowser at https://server_fqdn:8140/ from the
server?
What if you visit that from a client?

The normal response is an almost blank page that says:
> The environment must be purely alphanumeric, not ''''
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Dec 13, 2010 at 19:56, Patrick <kc7zzv@gmail.com>
wrote:
>
> On Dec 13, 2010, at 4:55 AM, PieterB wrote:
>
> Puppet is working perfectly with WEBRick,
> but not with my passenger setup.
>
> The error I receive:
> Could not retrieve catalog from remote server: unknown protocol
>
> But the puppet client on the puppetmaster itself is working perfectly.
> So I guess this is a certificate issue?
>
>
> Is there anything in the logs at /var/log/puppet or /var/log/apache
> What do you get if you point a webbrowser at https://server_fqdn:8140/ from
> the server?
> What if you visit that from a client?
> The normal response is an almost blank page that says:
>> The environment must be purely alphanumeric, not ''''
>
With a web browser:
An error occurred during a connection to server_fqdn:8140.

SSL received a record that exceeded the maximum permissible length.

(Error code: ssl_error_rx_record_too_long)


In apache access_log:
In receive a GET /production/catalog/..... b64_zlib_yaml HTTP/1.1" 200
21384 "-" "-"
followed by a PUT for the report
from the client on server itself

But for other clients:
x.x.x.x - - [14/Dec/2010:08:21:21 +0100] "\x80g\x01\x03\x01" 200 7034
"-" "-"
x.x.x.x - - [14/Dec/2010:08:21:44 +0100] "\x80g\x01\x03\x01" 200 7034
"-" "-"
x.x.x.x - - [14/Dec/2010:08:22:40 +0100] "\x80g\x01\x03\x01" 200 7034
"-" "-"
x.x.x.x - - [14/Dec/2010:08:22:43 +0100] "\x80g\x01\x03\x01" 200 7034
"-" "-"
x.x.x.x - - [14/Dec/2010:08:22:54 +0100] "\x80g\x01\x03\x01" 200 7034
"-" "-"

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, Dec 14, 2010 at 08:28, Pieter Baele <pieter.baele@gmail.com>
wrote:
>
> With a web browser:
> An error occurred during a connection to server_fqdn:8140.
>
> SSL received a record that exceeded the maximum permissible length.
>
> (Error code: ssl_error_rx_record_too_long)

If I change the virtual host directive from *:8140 to
fqdnhostname:8140 the other puppetclients work,
but the client on the puppetmaster itself fails then,  it also gives
problems with other applications...

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.