Skip to content

ssl certificates #404

New issue
New issue
Closed
#623
Closed
ssl certificates#404
#623
@jameseck

Description

@jameseck
jameseck
opened on Aug 15, 2014

Hi,

This is most likely user error rather than a bug, but I'm hoping someone can answer this either way.

I'm trying to configure a puppet master in nginx and I'm having trouble working out exactly how to describe the config I want. The issue I have is with SSL certificates.
The manifest below results in the nginx config looking for certs in /etc/nginx rather than the two explicit files I have provided in ssl_cert and ssl_key params for the vhost.

nginx::resource::vhost { 'unicorn_puppetmaster':
  ensure               => present,
  server_name          => ['puppet'],
  listen_port          => 8140,
  ssl                  => true,
  ssl_cert             => "/var/lib/puppet/ssl/certs/${::fqdn}.pem",
  ssl_key              => "/var/lib/puppet/ssl/private_keys/${::fqdn}.pem",
  ssl_port             => 8140,
  ssl_ciphers          => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS',
  vhost_cfg_append     => {
    'ssl_crl'                 => '/var/lib/puppet/ssl/ca/ca_crl.pem',
    'ssl_client_certificate'  => '/var/lib/puppet/ssl/certs/ca.pem',
    'ssl_verify_client'       => 'optional',
    'ssl_verify_depth'        => 1,
  },
  www_root             => '/etc/puppet/rack/public',
  use_default_location => false,
  access_log           => '/var/log/nginx/puppetmaster_access.log',
  error_log            => '/var/log/nginx/puppetmaster_error.log',
  proxy_set_header     => [
    'Host $host',
    'X-Real-IP &remote_addr',
    'X-Forwarded-For $proxy_add_x_forwarded_for',
    'X-Client-Verify $ssl_client_verify',
    'X-Client-DN $ssl_client_s_dn',
    'X-SSL-Issuer $ssl_client_i_dn',
  ],
  proxy_read_timeout   => '120',
}
nginx::resource::location { '/':
  ensure         => present,
  location       => '/',
  vhost          => 'unicorn_puppetmaster',
  proxy          => 'http://unicorn_puppetmaster',
  ssl            => true,
  ssl_only       => true,
}
nginx::resource::upstream { 'unicorn_puppetmaster':
  upstream_fail_timeout => '0',
  members               => [ 'unix:/var/run/puppet/unicorn_puppetmaster.sock' ],
}

This manifest yields the following nginx config file:

server {
  listen       *:8140 ssl;

  server_name  puppet;

  ssl on;

  ssl_certificate           /etc/nginx/unicorn_puppetmaster.crt;
  ssl_certificate_key       /etc/nginx/unicorn_puppetmaster.key;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
  ssl_prefer_server_ciphers on;
    index  index.html index.htm index.php;

  access_log            /var/log/nginx/puppetmaster_access.log;
  error_log             /var/log/nginx/puppetmaster_error.log;


  root /etc/puppet/rack/public;
  proxy_set_header        Host $host;
  proxy_set_header        X-Real-IP &remote_addr;
  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header        X-Client-Verify $ssl_client_verify;
  proxy_set_header        X-Client-DN $ssl_client_s_dn;
  proxy_set_header        X-SSL-Issuer $ssl_client_i_dn;
  location / {

    proxy_pass          http://unicorn_puppetmaster;
    proxy_read_timeout  90;
    proxy_connect_timeout  90;
    proxy_redirect  off;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  }
  ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
  ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
  ssl_verify_client optional;
  ssl_verify_depth 1;
}

Can anyone please explain what I need to do to get the right ssl files referenced in the nginx vhost config?

Thanks

J

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions