Issue #4447 has been updated by James Turnbull. Category set to SSL Status changed from Unreviewed to Needs design decision Assigned to set to Mathias Gug
What version is this? Markus - this is a regression from 0.25.x if this is 2.6.x ---------------------------------------- Bug #4447: hostcert, hostcsr, hostprivkey, hostpubkey are not settings http://projects.puppetlabs.com/issues/4447 Author: Mathias Gug Status: Needs design decision Priority: Normal Assigned to: Mathias Gug Category: SSL Target version: Affected version: Keywords: Branch: While trying to simplify configuring a system to run the puppetmaster process under passenger, I've noticed that setting hostcert, hostcsr, hostprivkey, hostpubkey in /etc/puppet/puppet.conf doesn't work. I've tried to simplify apache2 site configuration file so that SSLCertificateFile and SSLCertificateKeyFile point to well-know places. With the following puppet.conf file: <pre> [main] logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/lib/facter templatedir=$confdir/templates prerun_command=/etc/puppet/etckeeper-commit-pre postrun_command=/etc/puppet/etckeeper-commit-post # Store host ssl files in wellknwon places so that # apache2 ssl can be easily configured hostcert=$ssldir/my_cert.pem hostcsr=$ssldir/my_csr.pem hostprivkey=$ssldir/my_priv_key.pem hostpubkey=$ssldir/my_pub_key.pem [master] # These are needed when the puppetmaster is run by passenger # and can safely be removed if you webrick (default) or mongrel is used. ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY </pre> The apache2 configuration would be identical for every puppetmaster system: <pre> Listen 8140 <VirtualHost *:8140> SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /var/lib/puppet/ssl/my_cert.pem SSLCertificateKeyFile /var/lib/puppet/ssl/my_priv_key.pem SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem SSLCARevocationFile /var/lib/puppet/ssl/crl.pem # Set to 2 if this puppetmaster doesn't issue certificates # to puppet clients SSLVerifyDepth 1 SSLOptions +StdEnvVars # Set to require if this puppetmaster doesn't issue certificates # to puppet clients SSLVerifyClient optional PassengerHighPerformance on PassengerStatThrottleRate 120 PassengerUseGlobalQueue on RackAutoDetect Off RackBaseURI / RailsAutoDetect Off DocumentRoot /usr/share/puppet/rack/puppetmasterd/public <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost> </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
