Não é possível gerar certificado para o painel de fantoches

Não consigo gerar o certificado para uso com o painel de fantoches. O painel está sendo executado no mesmo host do mestre de marionetes, ambos executados em apache / passageiro. O servername é "mon1", mas "puppet" e "dashboard" são aliases para este servidor, e é o que os vários nós usam.

Versões:

puppet --version
3.2.0-rc1

puppet-dashboard:
1.2.23

O próprio nome do boneco é solucionável:

$ curl -k https://puppet:8140
can't convert nil into String

Esta é a minha configuração, e abaixo está o erro:

# config/settings.yml
cn_name: 'dashboard'
ca_crl_path: 'certs/dashboard.ca_crl.pem'
ca_certificate_path: 'certs/dashboard.ca_cert.pem'
certificate_path: 'certs/dashboard.cert.pem'
private_key_path: 'certs/dashboard.private_key.pem'
public_key_path: 'certs/dashboard.public_key.pem'
ca_server: 'puppet'
ca_port: 8140

# auth.conf
path /facts
auth any
method find, search
allow *

path /inventory
auth any
method find, search
allow *

E o erro:

[root@mon1 puppet-dashboard]# sudo -u puppet-dashboard rake cert:create_key_pair
DEPRECATION WARNING: Rake tasks in vendor/plugins/delayed_job/tasks are deprecated. Use lib/tasks instead. (called from /usr/share/puppet-dashboard/vendor/rails/railties/lib/tasks/rails.rb:10)
[root@mon1 puppet-dashboard]# sudo -u puppet-dashboard rake cert:request --trace
DEPRECATION WARNING: Rake tasks in vendor/plugins/delayed_job/tasks are deprecated. Use lib/tasks instead. (called from /usr/share/puppet-dashboard/vendor/rails/railties/lib/tasks/rails.rb:10)
** Invoke cert:request (first_time)
** Invoke environment (first_time)
** Execute environment
** Execute cert:request
rake aborted!
400 ""
/usr/lib/ruby/1.8/net/http.rb:2105:in 'error!'
/usr/share/puppet-dashboard/lib/puppet_https.rb:27:in 'put'
/usr/share/puppet-dashboard/lib/tasks/install.rake:50
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:246:in 'call'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:246:in 'execute'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:241:in 'each'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:241:in 'execute'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:184:in 'invoke_with_call_chain'
/usr/lib/ruby/1.8/monitor.rb:242:in 'synchronize'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:177:in 'invoke_with_call_chain'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/task.rb:170:in 'invoke'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:143:in 'invoke_task'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in 'top_level'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in 'each'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:101:in 'top_level'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:110:in 'run_with_threads'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:95:in 'top_level'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:73:in 'run'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:160:in 'standard_exception_handling'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/lib/rake/application.rb:70:in 'run'
/usr/lib/ruby/gems/1.8/gems/rake-10.0.4/bin/rake:33
/usr/bin/rake:19:in 'load'
/usr/bin/rake:19
Tasks: TOP => cert:request

Editar:

Parece que algo está errado com o meu vache do apache. As consultas ao serviço de inventário funcionam ao executar o mestre de marionetes como um daemon ou localmente, mas não quando hospedado pelo apache. Abaixo está meu vhost:

Listen 8140
<VirtualHost *:8140>
    SSLEngine On

    # Only allow high security cryptography. Alter if needed for compatibility.
    SSLProtocol             All -SSLv2
    SSLCipherSuite          HIGH:!ADH:RC4+RSA:-MEDIUM:-LOW:-EXP
    SSLCertificateFile      /var/lib/puppet/ssl/certs/mon1.domain.com.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/mon1.domain.com.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
    SSLVerifyClient         optional
    SSLVerifyDepth          1
    SSLOptions              +StdEnvVars +ExportCertData

    # These request headers are used to pass the client certificate
    # authentication information on to the puppet master process
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
    DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
    <Directory /usr/share/puppet/rack/puppetmasterd/>
        Options None
        AllowOverride None
        Order Allow,Deny
        Allow from All
    </Directory>
</VirtualHost>

As configurações de ajuste relacionadas ao Passenger estão em um vhost diferente, mas não acredito que sejam relevantes. Isso poderia ter algo a ver com o nome do certificado sendo "mon1.domain.com" em vez de "puppet.domain.com"?

Este é um exemplo do access_log:

# curl -k -H "Accept: yaml" https://puppet:8140/production/facts/my.node.com
<LOCALIP> - - [09/May/2013:16:52:40 +1000] "GET /production/facts/my.node.com HTTP/1.1" 400 29 "-" "curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.14.0.0 zlib/1.2.3 libidn/1.18 libssh2/1.4.2"

# some node making a request
<REMOTEIP> - - [09/May/2013:16:52:53 +1000] "GET /production/node/some.other.node? HTTP/1.1" 200 3291 "-" "Ruby"

Observe que estou tentando usar o curl da máquina local para consultar os fatos e os nós, mas isso não está funcionando. O mesmo que o painel de fantoches está tentando.