Skip to content

(#16769) Fix header too long error with ExportCertData#1222

Merged
jeffmccune merged 1 commit intopuppetlabs:3.0.xfrom
jeffmccune:fix/3.0.x/16769_export_cert_data_too_long
Oct 11, 2012
Merged

(#16769) Fix header too long error with ExportCertData#1222
jeffmccune merged 1 commit intopuppetlabs:3.0.xfrom
jeffmccune:fix/3.0.x/16769_export_cert_data_too_long

Conversation

@jeffmccune
Copy link
Contributor

@jeffmccune jeffmccune commented Oct 11, 2012

Without this patch new Puppet agent nodes who do not yet have a signed
certificate will receive this error message when Apache is configured with
the +ExportCertData option.

Error: Could not request certificate: Error 400 on SERVER: header too long
Exiting; failed to retrieve certificate and waitforcert is disabled

This is a problem because Puppet doesn't run at all.

The root cause is that we didn't take into account the edge case where a
Puppet agent is operating as an anonymous SSL client without a signed
certificate. In this situation, the SSL_CLIENT_CERT environment
variable is set, but is the empty string.

Worse, the OpenSSL error message is mis-leading because the certificate
is not present rather not "too long."

This patch fixes the problem by explicitly checking if the data is empty
or nil.

(#16769) Fix header too long error with ExportCertData
6d917aa 
Without this patch new Puppet agent nodes who do not yet have a signed
certificate will receive this error message when Apache is configured
with the +ExportCertData option.

    Error: Could not request certificate: Error 400 on SERVER: header too long
    Exiting; failed to retrieve certificate and waitforcert is disabled

This is a problem because Puppet doesn't run at all.

The root cause is that we didn't take into account the edge case where a
Puppet agent is operating as an anonymous SSL client without a signed
certificate.  In this situation, the  SSL_CLIENT_CERT environment
variable is set, but is the empty string.

Worse, the OpenSSL error message is mis-leading because the certificate
is not present rather not "too long."

This patch fixes the problem by explicitly checking if the data is empty
or nil.
@jeffmccune jeffmccune merged commit 6d917aa into puppetlabs:3.0.x Oct 11, 2012
@lsgrep
Copy link

lsgrep commented May 9, 2013

@jeffmccune
hi Jeff ,is there any workaround for this issue.
updating is not a viable option for me for now.

@jeffmccune
Copy link
Contributor Author

jeffmccune commented May 9, 2013

You could run Apache with the +ExportCertData removed. This will mean you won't be warned as certificates near their expiration date, but everything else should operate normally.

@jeffmccune jeffmccune deleted the fix/3.0.x/16769_export_cert_data_too_long branch May 9, 2013 03:47
@lsgrep
Copy link

lsgrep commented May 9, 2013

thanks for the reply.
I am a newbie .
There is no apache module configured. I am having this problem while trying to setup puppet in my redhat 5 hosts.

@jeffmccune
Copy link
Contributor Author

jeffmccune commented May 9, 2013

On Wed, May 8, 2013 at 8:52 PM, xperian notifications@github.com wrote:

thanks for the reply.
I am a newbie .
There is no apache module configured. I am having this problem while
trying to setup puppet in my redhat 5 hosts.

Ah, I understand. If you need some documentation on setting up Puppet with
Apache, I recommend downloading a copy of Puppet Enterprise. It's free up
to 10 nodes, and a great way to get started quickly. You could refer to it
to see how Apache is configured if you decide it's not a good fit for you.
There are also detailed instructions on how to setup Puppet with Apache on
EL5 systems in the Pro Puppet book. Finally, there are some reference
notes in the ext/ directory of the source on github. Check out the
config.ru file.

Hope this helps,
-Jeff

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jeffmccune @lsgrep