I finally got it. Lots of searching, poking and twiddling with apache services :) Thank you so much!
Here are my config files. Remote proxy is SLES11, puppetmaster is RHEL5 with EPEL and Puppet repos. Note that SSLProxyMachineCertificateFile /var/lib/puppet/ssl/certs/remote_proxy_host.combined is the private key and cert for the remote proxy put in a single file (/var/lib/puppet/ssl/certs/puppetmaster_host.pem and /var/lib/puppet/ssl/private_keys/puppetmaster_host.pem) Apache conf.d/puppetmaster.conf: PassengerMaxPoolSize 4 PassengerMaxRequests 1000 PassengerPoolIdleTime 600 Listen 8141 <VirtualHost *:8141> SSLEngine on SSLProtocol All -SSLv2 SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/puppetmaster_host.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/ puppetmaster_host.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData PassengerStatThrottleRate 120 DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order Allow,Deny Allow from All </Directory> </VirtualHost> Listen 8140 <VirtualHost *:8140> SSLEngine On SSLProtocol All -SSLv2 SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/puppetmaster_host.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppetmaster_host.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e PassengerStatThrottleRate 120 DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order Allow,Deny Allow from All </Directory> </VirtualHost> /etc/puppet.conf: logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl server = puppetmaster_host pluginsync = true [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig report = true environment = production [master] reports = store,http,foreman,log reporturl = http://puppetmaster_host:3000/reports/upload storeconfigs = true #async_storeconfigs = true dbadapter = mysql dbuser = puppet dbpassword = f1rmwar3 dbserver = localhost dbsocket = /var/lib/mysql/mysql.sock dbconnections = 10 node_terminus = exec facts_terminus = yaml external_nodes = /usr/share/puppet/ext/susemanager_enc.rb ssl_client_header = HTTP_X_PUPPET_CLIENT_DN ssl_client_verify_header = HTTP_X_PUPPET_CLIENT_VERIFY Remote Proxy LoadModule headers_module /usr/lib64/apache2/mod_headers.so Listen 8140 <VirtualHost *:8140> ServerName remote_proxy_host:8140 SSLEngine on SSLProtocol All -SSLv2 SSLCipherSuite HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/remote_proxy_host.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/remote_proxy_host.pem SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars LogLevel warn RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-PUPPET-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-PUPPET-Client-Verify %{SSL_CLIENT_VERIFY}e RewriteEngine On TraceEnable Off RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F] SSLProxyEngine on SSLProxyVerify require SSLProxyCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLProxyCheckPeerCN on SSLProxyMachineCertificateFile /var/lib/puppet/ssl/certs/remote_proxy_host.combined ProxyPass / https://puppetmaster_host:8141/ ProxyPassReverse / https://puppetmaster_host:8141/ ProxyPreserveHost On <Location /> Order deny,allow allow from All deny from all </Location> </VirtualHost> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e2931237-0f99-427e-a4c7-ba34ad407618%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.