Hi All,

I've run into a bit of a tangle.

I currently have two puppet masters which are "load balanced" with round
robin DNS (one is also the CA). I'm using dns_alt_names to let them each
answer to puppet.my.domain.com

For the past year this has been fine.

About a week ago I tried to add a third & while all my Linux clients are
happy with the new arrangement, my smaller number of FreeBSD9 systems fail

puppet-agent[73345]: Failed to apply catalog: SSL_connect returned=1
errno=0 state=SSLv2/v3 read server hello A: (null)

when hitting the newly deployed server. If I give the specific host name
as the --server argument (rather than the alternative name that get the
round robin dns) puppet agent connects runs properly.

I've tracked this down to the FreeBSD client using SNI where as the Linux
clients do not and the older servers don't support SNI so it is ignored.

All server are using apache mod_ssl and passenger, but I'm not sure how to

I could generate a "puppet.my.domain.com" certificate, distribute it to all
the servers and set up name based virtual hosts that SNI is designed to
facilitate, but then I can't selectively revoke the certs if there's a
security issue with one server, so I'd rather keep my per host certificates
with dns_alt_names.

This is probably more of an apache question now, but does anyone here know
how to get Apache to accept an SNI for a name that is a dns_alt_name of a
cert rather than the CN? Or more puppetly if there's a config option to
not send an SNI from the client? Though that seems the wrong way to fix
the problem.


You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 1 of 4 | next ›
Discussion Overview
grouppuppet-users @
postedMay 17, '13 at 7:46p
activeJun 5, '13 at 10:02p



site design / logo © 2022 Grokbase