把puppetmaster部署到apache后,发现了些小问题。 客户端已经验证可以被 puppetmaster管理,而没有验证过的客户端则请求验证。 郁闷死了,google了下结果发现还要翻墙。呵呵。 最后,还是静下心来看了下 官方文档 http://projects.reductivelabs.com/projects/puppet/wiki/Using_Mongrel 主要这一段

Client certificate verification


With the apache option:

SSLVerifyClient optional|require

you control how Apache wil check the client certification. You can either, set the different certificate request path to not require verification, or disable it (unless you have another ca server or another way of distributing the certificates). So: by enabling require, you basically say – the client is already suppose to have a certificate that I could verify. If certificate is not signed in puppetmaster you will get the error: err: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert handshake failure “optional” will simulate the behaviour of an default standalone puppetmaster (without apache).


也就是说,在apache中客户端验证方式(SSLVerifyClient)使用optional 这样就类似于puppetmaster 默认方式验证客户端。