On Sat, Jun 2, 2012 at 7:59 AM, Andrew Wasilczuk <a...@zx23.net> wrote:
> Hi Jeff,
>
>> You may be running into a bug in Puppet but I'm not entirely sure yet...
>> What web server are you using to terminate the SSL connection from the
>> agent to the master? Is it simply the built in one provided by `puppet
>> master` or are you using Apache or something?
>
> SSL is terminated by Apache. My Apache config is similar to what comes with
> puppet in ext/rack/files/apache2.conf, and contains:
>
> RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> My puppet.conf contains:
>
> ssl_client_header = SSL_CLIENT_S_DN_
> ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> in the [master] section.
>
>
>> It appears that we're not correctly parsing out the emailAddress field
>> inside the subject and instead we're treating it as part of the common
>> name (CN).
>
> Yup, that's what it looks like.
Andrew,
This is definitely a bug. The regular expression we're using to
extract the common name (CN) from the distinguished name (DN) is
/^.*?CN\s*=\s*(.*)/ [1]
This is a greedy regular expression which explains why it's also
grabbing the email address. I think we need to fix this to only match
up to the next / character or the end of the string.
Before I go fix this right now, are we sure this is a valid encoding
for the fields in the DN? What software are you using to produce
these certificates?
I've filed the bug here and added you as a watcher Andrew:
http://projects.puppetlabs.com/issues/14852
[1]
https://github.com/puppetlabs/puppet/blob/master/lib/puppet/network/http/rack/rest.rb#L89
-Jeff
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
