ubuntu12.04使用apache做puppetmaster认证服务

前提：

aptitude -y install puppet augeas-tools

aptitude -y install puppetmaster sqlite3 libsqlite3-ruby libactiverecord-ruby git rake

已经安装完了puppetmaster端

1.安装软件

apt-get install apache2 libapache2-mod-passenger rails librack-ruby libmysql-ruby
2.需要先产生一次证书 例如：我的hostname是server
先启动puppetmaster，puppet agent -vt 连接到服务器端。如果一切顺利，会产生
/var/lib/puppet/ssl/certs/server.pem
/var/lib/puppet/ssl/private_keys/server.pem
这两个文件，在配置apache认证需要
3.vim /etc/apache2/conf.d/puppet.conf
内容如下：
Listen 8140
<VirtualHost *:8140>

        SSLEngine on
        SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
        SSLCertificateFile      /var/lib/puppet/ssl/certs/server.pem
        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/server.pem
        SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
        SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
        # CRL checking should be enabled; if you have problems with Apache complaining about the CRL, disable the next line
#       SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
        SSLVerifyClient optional
        SSLVerifyDepth  1
        SSLOptions +StdEnvVars

        # The following client headers allow the same configuration to work with Pound.
        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

        RackAutoDetect On
  DocumentRoot /etc/puppet/rack/public/
  <Directory /etc/puppet/rack>
                Options None
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>
</VirtualHost>
其中
SSLCertificateFile
SSLCertificateKeyFile
这两行需要根据你自己的puppetmaster证书名
4 Debian and Ubuntu have these enabled by default, but if you need to, this is how you enable them:
a2enmod ssl
a2enmod headers
这两步不做可能会出现apache找不到ssh模块
5.vim /etc/default/puppetmaster
START=yes 改为no
6./etc/puppet创建rack文件夹
mkdir -p rack/{tmp,public}
并且创建config.ru文件
内容如下：
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.

# if puppet is not in your RUBYLIB:
# $:.unshift('/opt/puppet/lib')
$0 = "master"

# if you want debugging:
#ARGV << "--debug"

ARGV << "--rack"
require 'puppet/application/master'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Application[:master].run

rack文件夹结构如下：
root@server:/etc/puppet/rack# ls
config.ru  public  tmp
chown -R puppet:puppet /etc/puppet/rack
7.此时可能8140还是puppetmaster在运行kill掉该进程，重启apache，如果apache没报错尝试puppet agent -vt是否正确

参考文档http://projects.puppetlabs.com/projects/1/wiki/using_passenger
如果有什么错误的地方，欢迎网友指正。