Hi JM, this sounds like a real problem that was probably introduced with our code to start warning on certificates close to their expiration dates.
(#7962) https://github.com/puppetlabs/puppet/commit/12d81c7ef97167f1831143ff0037ae9a3970960d I created a ticket for this issue: https://projects.puppetlabs.com/issues/16769 Can you please update the ticket with more information about your environment? - what version of passenger? - what version of apache? Thanks! On Tuesday, October 2, 2012 7:07:32 AM UTC-7, A_SAAS wrote: > > Hi everyone, > > I am trying to setup puppet 3.0 with passenger since this morning, it is a > really painful for me. > > I am using the directive: > SSLOptions +StdEnvVars +ExportCertData > > > No problem, but when putting '+ExportCertData', I am unable to autosign or > revoke remotely any certificate I have the following error: > info: Creating a new SSL key for linux-install.fqdn > err: Could not request certificate: Error 400 on SERVER: header too long > Exiting; failed to retrieve certificate and waitforcert is disabled > > When using only: > SSLOptions +StdEnvVars > > Everything works perfectly. > > > So here is the apache configuration file: > -- > # you probably want to tune these settings > PassengerMaxPoolSize 12 > PassengerPoolIdleTime 1500 > # PassengerMaxRequests 1000 > PassengerStatThrottleRate 120 > RackAutoDetect Off > RailsAutoDetect Off > PassengerHighPerformance on > > Listen 8140 > > <VirtualHost *:8140> > ServerName puppetmaster.fqdn > ServerAlias puppetmaster > > ErrorLog /var/log/apache2/puppetmaster_error.log > LogLevel warn > SetEnvIf Remote_Addr "::1" dontlog > CustomLog /var/log/apache2/puppetmaster_access.log combined > env=!dontlog > > SSLEngine on > SSLProtocol -ALL +SSLv3 +TLSv1 > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > > SSLCertificateFile > /data/local/puppet/ssl/certs/puppetmaster.fqdn.pem > SSLCertificateKeyFile > /data/local/puppet/ssl/private_keys/puppetmaster.fqdn.pem > SSLCertificateChainFile /data/local/puppet/ssl/ca/ca_crt.pem > SSLCACertificateFile /data/local/puppet/ssl/ca/ca_crt.pem > # If Apache complains about invalid signatures on the CRL, you can > try disabling > # CRL checking by commenting the next line, but this is not > recommended. > SSLCARevocationFile /data/local/puppet/ssl/ca/ca_crl.pem > SSLVerifyClient optional > SSLVerifyDepth 1 > # The `ExportCertData` option is needed for agent certificate > expiration warnings > SSLOptions +StdEnvVars +ExportCertData > > # This header needs to be set if using a loadbalancer or proxy > # RequestHeader unset X-Forwarded-For > > RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e > > RackAutoDetect On > > DocumentRoot /var/www/puppetmaster/public/ > RackBaseURI / > <Directory /var/www/puppetmaster/> > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > </VirtualHost> > -- > > > So any clue? > > > Regards, > JM > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ap55DPU-uRsJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
