Oh yeah one more thing, when generating the ssl certs it has to be on the puppet.conf at the [main] block because when the client generates its SSL cert it will generate the key at the default keylength as well which as stated causes a problem with client authentication because of the F5 limitation.
On Wednesday, July 25, 2012 8:35:38 AM UTC-4, Matt wrote: > > > >> >> This was done because of #6663 security concerns, I think you can >> modify the puppet keylength settings when generating keys. >> >> >> > Hi Nan, I was just highlighting the limitation of the F5 LTM in versions > prior to 10.2 since the issue is annoying hard to troubleshoot and was the > source of my frustration. Part of the reason it was frustrating is that it > allows you to upload certs that are greater than 2048 without error. This > caveat with the SSL certs and the F5 LTM probably should be put up on the > F5 load balance page in case someone else runs into the issue. I would not > mind creating an example f5 configuration utilizing the puppetlabs-f5 > module. > > The other apache changes are required to make it work correctly though, > especially changing the REMOTE_ADDR environmental variable, I was not able > to find an alternative and this was the quickest solution to the problem > because the puppet master is verifying the CN of the cert against the IP of > the client, which on the F5 is the F5 IP. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/AZZ7oI0YphUJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
