[Pkg-puppet-devel] Bug#495939: local host fails to sync with mongrel when CRLs are in use with apache2

[Faidon Liambotis]

forwarded 495939 http://projects.reductivelabs.com/issues/899
thanks

Martin, hi,

martin f krafft wrote:
> After switching to mongrel (and recreating the certificate for the
> local puppetd), it won't sync with puppet anymore:
> 
>   err: /File[/var/lib/puppet/lib]: Failed to generate additional
>   resources during transaction: Certificates were not trusted: tlsv1
>   alert decrypt error
This is a known issue, #899 on puppet's bug tracker.

> The only way to make it work again is by commenting
>   SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
> in the apache2 configuration.
This actually works, contrary to your reply.

However, SSL without CRLs is not exactly ideal, so here at work we've
workarounded it as such:

- split your Apache config into two (non-named) VirtualHosts: the
network IP and 127.0.0.1/[::1] with identical configs,
- remove SSLCARevocationFile from the localhost one,
- define "server = localhost" in puppet.conf for the puppetmaster,
- make sure that there are no $servername variables in your manifests
(e.g. we had to switch some file URLs from puppet://$servername/files/
to puppet:///files/)

Regards,
Faidon