Grokbase Groups Puppet puppet-users October 2012
FAQ
Hi everyone,

I am trying to setup puppet 3.0 with passenger since this morning, it is a
really painful for me.

I am using the directive:
SSLOptions +StdEnvVars +ExportCertData


No problem, but when putting '+ExportCertData', I am unable to autosign or
revoke remotely any certificate I have the following error:
info: Creating a new SSL key for linux-install.fqdn
err: Could not request certificate: Error 400 on SERVER: header too long
Exiting; failed to retrieve certificate and waitforcert is disabled

When using only:
SSLOptions +StdEnvVars

Everything works perfectly.


So here is the apache configuration file:
--
# you probably want to tune these settings
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
PassengerHighPerformance on

Listen 8140

<VirtualHost *:8140>
ServerName puppetmaster.fqdn
ServerAlias puppetmaster

ErrorLog /var/log/apache2/puppetmaster_error.log
LogLevel warn
SetEnvIf Remote_Addr "::1" dontlog
CustomLog /var/log/apache2/puppetmaster_access.log combined
env=!dontlog

SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSLCertificateFile
/data/local/puppet/ssl/certs/puppetmaster.fqdn.pem
SSLCertificateKeyFile
/data/local/puppet/ssl/private_keys/puppetmaster.fqdn.pem
SSLCertificateChainFile /data/local/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /data/local/puppet/ssl/ca/ca_crt.pem
# If Apache complains about invalid signatures on the CRL, you can
try disabling
# CRL checking by commenting the next line, but this is not
recommended.
SSLCARevocationFile /data/local/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
# The `ExportCertData` option is needed for agent certificate
expiration warnings
SSLOptions +StdEnvVars +ExportCertData

# This header needs to be set if using a loadbalancer or proxy
# RequestHeader unset X-Forwarded-For

RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

RackAutoDetect On

DocumentRoot /var/www/puppetmaster/public/
RackBaseURI /
<Directory /var/www/puppetmaster/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
--


So any clue?


Regards,
JM

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Eric Sorenson at Oct 3, 2012 at 11:07 pm
    Hi JM, this sounds like a real problem that was probably introduced with
    our code to start warning on certificates close to their expiration dates.

    (#7962)

    https://github.com/puppetlabs/puppet/commit/12d81c7ef97167f1831143ff0037ae9a3970960d

    I created a ticket for this
    issue: https://projects.puppetlabs.com/issues/16769

    Can you please update the ticket with more information about your
    environment?

    - what version of passenger?
    - what version of apache?

    Thanks!
    On Tuesday, October 2, 2012 7:07:32 AM UTC-7, A_SAAS wrote:

    Hi everyone,

    I am trying to setup puppet 3.0 with passenger since this morning, it is a
    really painful for me.

    I am using the directive:
    SSLOptions +StdEnvVars +ExportCertData


    No problem, but when putting '+ExportCertData', I am unable to autosign or
    revoke remotely any certificate I have the following error:
    info: Creating a new SSL key for linux-install.fqdn
    err: Could not request certificate: Error 400 on SERVER: header too long
    Exiting; failed to retrieve certificate and waitforcert is disabled

    When using only:
    SSLOptions +StdEnvVars

    Everything works perfectly.


    So here is the apache configuration file:
    --
    # you probably want to tune these settings
    PassengerMaxPoolSize 12
    PassengerPoolIdleTime 1500
    # PassengerMaxRequests 1000
    PassengerStatThrottleRate 120
    RackAutoDetect Off
    RailsAutoDetect Off
    PassengerHighPerformance on

    Listen 8140

    <VirtualHost *:8140>
    ServerName puppetmaster.fqdn
    ServerAlias puppetmaster

    ErrorLog /var/log/apache2/puppetmaster_error.log
    LogLevel warn
    SetEnvIf Remote_Addr "::1" dontlog
    CustomLog /var/log/apache2/puppetmaster_access.log combined
    env=!dontlog

    SSLEngine on
    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

    SSLCertificateFile
    /data/local/puppet/ssl/certs/puppetmaster.fqdn.pem
    SSLCertificateKeyFile
    /data/local/puppet/ssl/private_keys/puppetmaster.fqdn.pem
    SSLCertificateChainFile /data/local/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile /data/local/puppet/ssl/ca/ca_crt.pem
    # If Apache complains about invalid signatures on the CRL, you can
    try disabling
    # CRL checking by commenting the next line, but this is not
    recommended.
    SSLCARevocationFile /data/local/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient optional
    SSLVerifyDepth 1
    # The `ExportCertData` option is needed for agent certificate
    expiration warnings
    SSLOptions +StdEnvVars +ExportCertData

    # This header needs to be set if using a loadbalancer or proxy
    # RequestHeader unset X-Forwarded-For

    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    RackAutoDetect On

    DocumentRoot /var/www/puppetmaster/public/
    RackBaseURI /
    <Directory /var/www/puppetmaster/>
    Options None
    AllowOverride None
    Order allow,deny
    allow from all
    </Directory>
    </VirtualHost>
    --


    So any clue?


    Regards,
    JM
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ap55DPU-uRsJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Antidot SAS at Oct 4, 2012 at 8:56 am
    Hi I have filled out the ticket, let me know if something is missing.

    Regards,
    JM

    On Thu, Oct 4, 2012 at 1:07 AM, Eric Sorenson
    wrote:
    Hi JM, this sounds like a real problem that was probably introduced with
    our code to start warning on certificates close to their expiration dates.

    (#7962)


    https://github.com/puppetlabs/puppet/commit/12d81c7ef97167f1831143ff0037ae9a3970960d

    I created a ticket for this issue:
    https://projects.puppetlabs.com/issues/16769

    Can you please update the ticket with more information about your
    environment?

    - what version of passenger?
    - what version of apache?

    Thanks!

    On Tuesday, October 2, 2012 7:07:32 AM UTC-7, A_SAAS wrote:

    Hi everyone,

    I am trying to setup puppet 3.0 with passenger since this morning, it is
    a really painful for me.

    I am using the directive:
    SSLOptions +StdEnvVars +ExportCertData


    No problem, but when putting '+ExportCertData', I am unable to autosign
    or revoke remotely any certificate I have the following error:
    info: Creating a new SSL key for linux-install.fqdn
    err: Could not request certificate: Error 400 on SERVER: header too long
    Exiting; failed to retrieve certificate and waitforcert is disabled

    When using only:
    SSLOptions +StdEnvVars

    Everything works perfectly.


    So here is the apache configuration file:
    --
    # you probably want to tune these settings
    PassengerMaxPoolSize 12
    PassengerPoolIdleTime 1500
    # PassengerMaxRequests 1000
    PassengerStatThrottleRate 120
    RackAutoDetect Off
    RailsAutoDetect Off
    PassengerHighPerformance on

    Listen 8140

    <VirtualHost *:8140>
    ServerName puppetmaster.fqdn
    ServerAlias puppetmaster

    ErrorLog /var/log/apache2/puppetmaster_**error.log
    LogLevel warn
    SetEnvIf Remote_Addr "::1" dontlog
    CustomLog /var/log/apache2/puppetmaster_**access.log combined
    env=!dontlog

    SSLEngine on
    SSLProtocol -ALL +SSLv3 +TLSv1
    SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+**MEDIUM:-LOW:-SSLv2:-EXP

    SSLCertificateFile /data/local/puppet/ssl/certs/**
    puppetmaster.fqdn.pem
    SSLCertificateKeyFile /data/local/puppet/ssl/**
    private_keys/puppetmaster.**fqdn.pem
    SSLCertificateChainFile /data/local/puppet/ssl/ca/ca_**crt.pem
    SSLCACertificateFile /data/local/puppet/ssl/ca/ca_**crt.pem
    # If Apache complains about invalid signatures on the CRL, you
    can try disabling
    # CRL checking by commenting the next line, but this is not
    recommended.
    SSLCARevocationFile /data/local/puppet/ssl/ca/ca_**crl.pem
    SSLVerifyClient optional
    SSLVerifyDepth 1
    # The `ExportCertData` option is needed for agent certificate
    expiration warnings
    SSLOptions +StdEnvVars +ExportCertData

    # This header needs to be set if using a loadbalancer or proxy
    # RequestHeader unset X-Forwarded-For

    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    RackAutoDetect On

    DocumentRoot /var/www/puppetmaster/public/
    RackBaseURI /
    <Directory /var/www/puppetmaster/>
    Options None
    AllowOverride None
    Order allow,deny
    allow from all
    </Directory>
    </VirtualHost>
    --


    So any clue?


    Regards,
    JM

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/ap55DPU-uRsJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedOct 2, '12 at 2:07p
activeOct 4, '12 at 8:56a
posts3
users2
websitepuppetlabs.com

2 users in discussion

Antidot SAS: 2 posts Eric Sorenson: 1 post

Content

People

Support

Translate

site design / logo © 2022 Grokbase