(#16769) Fix header too long error with ExportCertData#1222
Conversation
Without this patch new Puppet agent nodes who do not yet have a signed
certificate will receive this error message when Apache is configured
with the +ExportCertData option.
Error: Could not request certificate: Error 400 on SERVER: header too long
Exiting; failed to retrieve certificate and waitforcert is disabled
This is a problem because Puppet doesn't run at all.
The root cause is that we didn't take into account the edge case where a
Puppet agent is operating as an anonymous SSL client without a signed
certificate. In this situation, the SSL_CLIENT_CERT environment
variable is set, but is the empty string.
Worse, the OpenSSL error message is mis-leading because the certificate
is not present rather not "too long."
This patch fixes the problem by explicitly checking if the data is empty
or nil.
|
@jeffmccune |
|
You could run Apache with the |
|
thanks for the reply. |
|
On Wed, May 8, 2013 at 8:52 PM, xperian notifications@github.com wrote:
Hope this helps, |
Without this patch new Puppet agent nodes who do not yet have a signed
certificate will receive this error message when Apache is configured with
the +ExportCertData option.
This is a problem because Puppet doesn't run at all.
The root cause is that we didn't take into account the edge case where a
Puppet agent is operating as an anonymous SSL client without a signed
certificate. In this situation, the SSL_CLIENT_CERT environment
variable is set, but is the empty string.
Worse, the OpenSSL error message is mis-leading because the certificate
is not present rather not "too long."
This patch fixes the problem by explicitly checking if the data is empty
or nil.