On Thu, Apr 30, 2009 at 11:14 AM, Faidon Liambotis <parav...@debian.org> wrote: > forwarded 495939 http://projects.reductivelabs.com/issues/899 > thanks > > Martin, hi, > > martin f krafft wrote: >> After switching to mongrel (and recreating the certificate for the >> local puppetd), it won't sync with puppet anymore: >> >> err: /File[/var/lib/puppet/lib]: Failed to generate additional >> resources during transaction: Certificates were not trusted: tlsv1 >> alert decrypt error > This is a known issue, #899 on puppet's bug tracker. > >> The only way to make it work again is by commenting >> SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem >> in the apache2 configuration. > This actually works, contrary to your reply. > > However, SSL without CRLs is not exactly ideal, so here at work we've > workarounded it as such: > > - split your Apache config into two (non-named) VirtualHosts: the > network IP and 127.0.0.1/[::1] with identical configs, > - remove SSLCARevocationFile from the localhost one, > - define "server = localhost" in puppet.conf for the puppetmaster, > - make sure that there are no $servername variables in your manifests > (e.g. we had to switch some file URLs from puppet://$servername/files/ > to puppet:///files/)
Note too that having a CRL works fine with Apache/Passenger here in my testing. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
