[Pkg-puppet-devel] Bug#495939: Bug#495939: local host fails to sync with mongrel when CRLs are in use with apache2

Nigel Kersten nigel at explanatorygap.net
Thu Apr 30 22:38:11 UTC 2009


On Thu, Apr 30, 2009 at 11:14 AM, Faidon Liambotis <paravoid at debian.org> wrote:
> forwarded 495939 http://projects.reductivelabs.com/issues/899
> thanks
>
> Martin, hi,
>
> martin f krafft wrote:
>> After switching to mongrel (and recreating the certificate for the
>> local puppetd), it won't sync with puppet anymore:
>>
>>   err: /File[/var/lib/puppet/lib]: Failed to generate additional
>>   resources during transaction: Certificates were not trusted: tlsv1
>>   alert decrypt error
> This is a known issue, #899 on puppet's bug tracker.
>
>> The only way to make it work again is by commenting
>>   SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
>> in the apache2 configuration.
> This actually works, contrary to your reply.
>
> However, SSL without CRLs is not exactly ideal, so here at work we've
> workarounded it as such:
>
> - split your Apache config into two (non-named) VirtualHosts: the
> network IP and 127.0.0.1/[::1] with identical configs,
> - remove SSLCARevocationFile from the localhost one,
> - define "server = localhost" in puppet.conf for the puppetmaster,
> - make sure that there are no $servername variables in your manifests
> (e.g. we had to switch some file URLs from puppet://$servername/files/
> to puppet:///files/)

Note too that having a CRL works fine with Apache/Passenger here in my testing.





More information about the Pkg-puppet-devel mailing list