search for: sslverifyclient

Hello, In the wiki "Using_Mongrel" http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel it proposes a configuration with the option: SSLVerifyClient require But with this option set I am not able to register new clients. When I run a new puppet client, I get the error: warning: peer certificate won''t be verified in this SSL session err: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 a...

...understand, Puppet''s client/server authentication system - using SSL - is portable. I believe that I should be able to use the same SSL certificates and keys (and even the same CA) with regard to other SSL/TLS connections, as well. In particular, I want to use Apache''s ''SSLVerifyClient require'' option, but not in my Mongrel setup, but for an entirely different SSL site which also happens to be on the same machine as my Puppet master. Assuming both my Puppet master and my Puppet agent represent the server and client in this connection, respectively, then I believe I shou...

Hi, I''ve setup the puppetmaster to start 5 processes each listening on a different port, with an Apache server in front. This works fine for existing clients, however when I try to add a new client (ie. a newly installed machine with no previous puppet configuration) I get this error: err: Could not request certificate: sslv3 alert handshake failure error Any ideas what''s

...shows me the contents of my request. But when on SSL I type the same thing and I get: => nil I don''t know why, but this does not happen all the time, seldom it shows my params variable even when on SSL. This is how I configured SSL Client Auth on Apache: <Location /myapp> SSLVerifyClient require SSLVerifyDepth 10 </Location> <Files ~ "\.(cgi|fcgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars +ExportCertData </Files> Please help, I''m stuck and frustrated, could this be a bug? Thanks. -Ofir -- Posted via http://www.ruby-forum.com/. -...

...RT. In addition it says that this means that "SSL peer was unable to negotiate an acceptable set of security parameters." If I try to open the site in IE, it prompts for a client certificate. This fails because I am not using client certs. In the apache config for ssl.conf I have "SSLVerifyClient none". I have also tried setting it to "optional" with the same results. In the past moving these sites to a different machine was as simple as copying the certs and the config files over to the new machine, reloading httpd and everyting just worked. Is there something different abo...

I have a simple Intranet app I want to make accessible via the Internet for remote access by our employees. I want to use ssl (https) connections and I''ve found enough messages to imply Webrick as included in rails can do the job. The message at http://wrath.rubyonrails.org/pipermail/rails/2005-January/001993.html even appears to tell me exactly how to do it by modifying

Morning all Am in the process of testing a migration of Puppet 3 from webrick to Puppet. Have found the foreman modules (https://github.com/theforeman) which seems to take care of a lot of the leg-work... However having got Puppet running with Passenger in Apache, whenever trying to access the Puppet master from a client, I was getting a ''403 Forbidden error''. Have dug

.../var/lib/puppet/ssl/ca/ ca_crt.pem SSLCACertificateFile /drbd01/puppet/var/lib/puppet/ssl/ca/ ca_crt.pem # CRL checking should be enabled; if you have problems with Apache complaining about the CRL, disable the nex t line # SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars # The following client headers allow the same configuration to work with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CL...

...em SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/ <puppetmaster>.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData # These request headers are used to pass the client certificate # authentication information on to the puppet master process RequestHeader set X-SSL-Subjec...

...pmaster.localdomain.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/pmaster.localdomain.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order Allow,Deny...

...ificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem # CRL checking should be enabled; if you have problems with Apache complaining about the CRL, disable the next line SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars # The following client headers allow the same configuration to work with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_C...

...LCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ RackBaseURI / <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None...

...self.dispatch(options) Socket.do_not_reverse_lookup = true server = WEBrick::HTTPServer.new( :Port => options[:port].to_i, :ServerType => options[:server_type], :BindAddress => options[:ip], :SSLEnable => true, :SSLVerifyClient => OpenSSL::SSL::VERIFY_NONE, :SSLCertificate => options[:cert], :SSLPrivateKey => options[:pkey], :SSLCertName => [ [ "CN", WEBrick::Utils::getservername ] ] ) server.mount(''/'', DispatchServlet, options) trap(&...

Hello All, I don''t seem to be able to get reports to display on the foreman interface. I copied extras/puppet/foreman/files/foreman-report.rb to / usr/lib/ruby/site_ruby/1.8/puppet/reportsforeman.rb, instead of /usr/ lib/ruby/1.8/puppet/reports/foreman.rb. Config: Centos5.4, Apache/ Passenger, Puppet 0.25.4. The reports are coming from the clients, because I can see them in

Dear all, I see this error message in my *masterhttp.log* repeatedly: ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=SSLv3 > read client certificate A: tlsv1 alert unknown ca > I saw a similar mail in the list but there was no definitive answer to that post. Does anyone know what am I missing here? I do understand what *unknown ca* means but I can''t think

...ACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars DocumentRoot /etc/puppet/rack/public/ RackBaseURI / <Directory /etc/puppet/rack/> Options None AllowOverride None Order allow,deny allow f...

...uppet/ssl/ca/ca_crt.pem > # If Apache complains about invalid signatures on the CRL, you can > try disabling > # CRL checking by commenting the next line, but this is not > recommended. > SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem > SSLVerifyClient optional > SSLVerifyDepth 1 > SSLOptions +StdEnvVars > > ErrorLog logs/puppet_error_log > TransferLog logs/puppet_access_log > LogLevel warn > # This header needs to be set if using a loadbalancer or proxy > #Req...

Hi, Is there a way to have puppetmaster sign new clients'' certificates when using apache+mongrel for serving, without having a separate puppetmaster instance running webrick on a different port/IP? I guess this does not work out of the box because apache is told to do the verification very early in the connection process, at which point it does not yet know that the client is going to

...r/lib/puppet/ssl/certs/hostname.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/hostname.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData # These request headers are used to pass the client certificate # authentication information on to the puppet master process RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e Re...

...ertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line. SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars # The following client headers allow the same configuration to work with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e Ra...