On Tue, Jul 24, 2012 at 10:19 PM, Matt <mjbl...@gmail.com> wrote: > The issue I ran into that caused problems was the following > > Puppet 2.7.14 for some reason on my environment sets the keylength by > default to 4096. F5 LTM on at least 10.1 version can not support anything > more than 2048 for both the cert on the F5 and the client cert for > authentication the LTM will allow you to add the certificate but not apply > to the SSL profile. The client ssl cert that each puppet agent sends if its > greater than 2048 will instantly receive a TCP RST, the request to the > puppet master will be still sent for catalog compile. More detail here > http://support.f5.com/kb/en-us/solutions/public/12000/100/sol12147.html on > the SSL key issue and what is affected and not.
This was done because of #6663 security concerns, I think you can modify the puppet keylength settings when generating keys. > Additional changes were required but this is what my non-ssl (what the F5 is > proxying requests) looks like: > > # Apache Configuration > <VirtualHost *:18140> > ServerName puppetmaster1.example.com > DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ > RackBaseURI / > <Directory /usr/share/puppet/rack/puppetmasterd/public/> > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1 > SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 > SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1 > SetEnvIf X-Forwarded-Proto "https" HTTPS=1 > > LogLevel error > ErrorLog "|/usr/sbin/cronolog > /var/log/httpd/puppetmaster_error_log.%Y%m%d -l > /var/log/httpd/puppetmaster_error_log" > CustomLog "|/usr/sbin/cronolog > /var/log/httpd/puppetmaster_access_log.%Y%m%d -l > /var/log/httpd/puppetmaster_access_log" combined > </VirtualHost> > > The SSL port (8140) is following the standard guide for apache passenger but > with this three lines (like the non-ssl) > > SetEnvIf X-SSL-Subject "(.*)" SSL_CLIENT_S_DN=$1 > SetEnvIf X-Client-Verify "(.*)" SSL_CLIENT_VERIFY=$1 > SetEnvIf X-Forwarded-For "(.*)" REMOTE_ADDR=$1 > > Here is what the F5 specific configuration looks like, I substituted the IP > addresses and some of the names because of my environment. > > pool puppet { > lb method member least conn > monitor all gateway_icmp > members 192.168.1.10:18140 {} > } > > virtual puppet { > snat automap > pool puppet > destination 192.168.1.9:8140 > ip protocol tcp > rules R_PUPPETMASTERS > profiles { > http {} > puppet { > clientside > } > tcp {} > } > } > > profile clientssl puppet { > defaults from clientssl > key "puppet.key" > cert "puppet.crt" > chain "puppetca.crt" > ca file "puppetca.crt" > client cert ca "puppetca.crt" > renegotiate enable > peer cert mode require > authenticate always > } > > # Slightly modified iRule based off of > http://projects.puppetlabs.com/projects/puppet/wiki/Load_Balancing_F5 > rule R_PUPPETMASTERS { > when HTTP_REQUEST { > HTTP::header insert "X-Forwarded-Proto" "https" > set cert_request 0 > set path2 [URI::path [HTTP::uri] 2 2 ] > > if { $path2 == "/certificate/" || $path2 == "/certificate_request/" } { > set cert_request 1 > } > } > > when HTTP_REQUEST_SEND { > if { $cert_request == 0}{ > clientside { > if {[SSL::verify_result] == 0} { > HTTP::header insert "X-Client-Verify" "SUCCESS" > } > HTTP::header insert "X-Client-DN" /[X509::subject [SSL::cert 0]] > HTTP::header insert "X-SSL-Subject" /[X509::subject [SSL::cert 0]] > } > } > } > } > # end of F5 configuration > > Hopefully this helps people who had similar issues that I had. This might be a bit meta, but would anyone be interested testing a deployment using puppetlabs-f5 module so puppet can setup load-balancing on F5? So far what your example doesn't seem too complicated, and I put together a example gist (untested) and I think we can get a puppet module to deploy loadbalancing for puppet masters: https://gist.github.com/3174705 I know there was a suggestion on producing a deployment doc, but I would be all for a puppet module instead. Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.