Bug #4447

hostcert, hostcsr, hostprivkey, hostpubkey are not settings

Added by Mathias Gug almost 2 years ago. Updated over 1 year ago.

Status:Needs More Information Start date:08/03/2010
Priority:Normal Due date:
Assignee:Nigel Kersten % Done:

0%
Category:SSL
Target version:-
Affected Puppet version: Branch:
Keywords:
Votes: 0

Description

While trying to simplify configuring a system to run the puppetmaster process under passenger, I’ve noticed that setting hostcert, hostcsr, hostprivkey, hostpubkey in /etc/puppet/puppet.conf doesn’t work.

I’ve tried to simplify apache2 site configuration file so that SSLCertificateFile and SSLCertificateKeyFile point to well-know places.

With the following puppet.conf file:

[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
# Store host ssl files in wellknwon places so that 
# apache2 ssl can be easily configured
hostcert=$ssldir/my_cert.pem
hostcsr=$ssldir/my_csr.pem
hostprivkey=$ssldir/my_priv_key.pem
hostpubkey=$ssldir/my_pub_key.pem

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if you webrick (default) or mongrel is used.
ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY

The apache2 configuration would be identical for every puppetmaster system:

Listen 8140



        SSLEngine on
        SSLProtocol -ALL +SSLv3 +TLSv1
        SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

        SSLCertificateFile      /var/lib/puppet/ssl/my_cert.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/my_priv_key.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem
        SSLCARevocationFile     /var/lib/puppet/ssl/crl.pem
        # Set to 2 if this puppetmaster doesn't issue certificates
        # to puppet clients
        SSLVerifyDepth 1
        SSLOptions +StdEnvVars
        # Set to require if this puppetmaster doesn't issue certificates
        # to puppet clients
        SSLVerifyClient optional

        PassengerHighPerformance on
        PassengerStatThrottleRate 120
        PassengerUseGlobalQueue on
        RackAutoDetect Off
        RackBaseURI /
        RailsAutoDetect Off

        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
        
                Options None
                AllowOverride None
                Order allow,deny
                allow from all

History

#1
Updated by James Turnbull almost 2 years ago

  • Category set to SSL
  • Status changed from Unreviewed to Needs Decision
  • Assignee set to Mathias Gug

What version is this?

Markus – this is a regression from 0.25.x if this is 2.6.x

#2
Updated by Mathias Gug over 1 year ago

I’ve tested with 0.25.4 and 2.6.1.rc2. Both versions are failing.

#3
Updated by James Turnbull over 1 year ago

  • Assignee changed from Mathias Gug to Nigel Kersten

#4
Updated by Nigel Kersten over 1 year ago

  • Status changed from Needs Decision to Needs More Information

Is it that they don’t work in [main] or that they don’t work in the config file at all?

Also available in: Atom PDF