No SSL cert with CN supplied - request from xxxxxxx

when I exec "puppet agent -t" on puppet client,the foreman server in
production log that show "No SSL cert with CN supplied - request from
xxxxxxx",when I turn the "restrict_registered_smart_proxies" off , there is
no wrong in production log. if I want to
turn"restrict_registered_smart_proxies" on,what need I do with foreman
server or smart proxy?

here is foreman offical manual describe:

restrict_registered_smart_proxies:
When set to true, services such as Puppet masters (or Salt, Chef) need to have a smart proxy registered with the appropriate feature (e.g. Puppet) to access fact/report importers and ENC output.

hi:
thank you answer my question. I have set SSL_CLIENT_S_DN,here is my
nginx config file,where is wrong?

server {
listen 443 ssl;
server_name foreman.server.com;
root /usr/local/foreman-1.9.3/public;

passenger_enabled          on;
passenger_env_var   HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_env_var   HTTP_X_CLIENT_VERIFY $ssl_client_verify;

access_log /data/log/nginx/foreman_access.log;
error_log /data/log/nginx/foreman_error.log;

proxy_buffer_size 8196k;
proxy_buffering on;
proxy_buffers 64 8196k;
proxy_busy_buffers_size 32678k;

ssl on;
ssl_session_timeout 5m;

ssl_certificate /var/lib/puppet/ssl/certs/foreman.server.com.pem;
ssl_certificate_key 

/var/lib/puppet/ssl/private_keys/foreman.server.com.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;

ssl_verify_client optional;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;



location ~ ^/assets/ {
    expires 1y;
    add_header Cache-Control public;
    add_header ETag "";
    break;
}

}

hi,I have change my nginx config file,but the problem is staying alive.

I config nginx follow this:
http://projects.theforeman.org/projects/foreman/wiki/Setting_up_Nginx_+Passenger

server {
listen 443 ssl;
server_name foreman.server.com;
root /usr/local/foreman-1.9.3/public;

passenger_enabled          on;
passenger_env_var   HTTPS on;
#passenger_env_var   HTTP_X_CLIENT_DN $ssl_client_s_dn;

passenger_env_var HTTP_X_CLIENT_VERIFY $ssl_client_verify;

passenger_env_var   SSL_CLIENT_S_DN $ssl_client_s_dn;
passenger_env_var   SSL_CLIENT_VERIFY $ssl_client_verify;

access_log /data/log/nginx/foreman_access.log;
error_log /data/log/nginx/foreman_error.log;

proxy_buffer_size 8196k;
proxy_buffering on;
proxy_buffers 64 8196k;
proxy_busy_buffers_size 32678k;

ssl on;
ssl_session_timeout 5m;

>
> when I exec "puppet agent -t" on puppet client,the foreman server in
> production log that show "No SSL cert with CN supplied - request from
> xxxxxxx",when I turn the "restrict_registered_smart_proxies" off , there
> is no wrong in production log. if I want to
> turn"restrict_registered_smart_proxies" on,what need I do with foreman
> server or smart proxy?

The error indicates that there is no CN from a client SSL certificate in
the request supplied in the SSL_CLIENT_S_DN environment variable
(default, defined by the ssl_client_dn_env setting). This is used to
authenticate the incoming request.

You said on IRC that you're not using our standard installer setup, so
you need to ensure that your web server is configured to do SSL client
certificate verification and to set the environment variable for the
Foreman Passenger application. In Apache that's SSLVerifyClient,
SSLOptions etc.

> here is foreman offical manual describe:
>
> restrict_registered_smart_proxies:
> When set to true, services such as Puppet masters (or Salt, Chef) need to have a smart proxy registered with the appropriate feature (e.g. Puppet) to access fact/report importers and ENC output.

When the request comes in over HTTPS then the above SSL check is made.
Alternatively, you can disable "require_ssl_smart_proxies" to perform a
reverse DNS (hostname) check only.

··· On 15/12/15 03:37, 辛建国 wrote:


Dominic Cleal
dominic@cleal.org

This is not SSL_CLIENT_S_DN, it's HTTP_X_CLIENT_DN.

Compare against
http://projects.theforeman.org/projects/foreman/wiki/Setting_up_Nginx_+Passenger

··· On 15/12/15 09:49, 辛建国 wrote: > hi: > thank you answer my question. I have set SSL_CLIENT_S_DN,here is my > nginx config file,where is wrong? > > server { > listen 443 ssl; > server_name foreman.server.com; > root /usr/local/foreman-1.9.3/public; > > passenger_enabled on; > passenger_env_var HTTP_X_CLIENT_DN $ssl_client_s_dn; > passenger_env_var HTTP_X_CLIENT_VERIFY $ssl_client_verify;


Dominic Cleal
dominic@cleal.org