Puppet users - Apr 2010 - clients stopped retrieving catalog - error 403 forbidden request - possible corruption?

All 150 , except two, clients have suddenly stopped retrieving
catalogs from the master.  Something happened last night, no changes
were made.  I have been running everything for many months now.

Maybe something with the certificates?  I can I sync the certs from
the master back to the clients?  Something appears to have gotten
corrupted.  Thanks in advance!
----

All clients (0.25.1) produce this error:
Apr 29 10:00:34 server1 puppetd[31455]: Starting Puppet client version
0.25.1
Apr 29 10:00:35 server1 puppetd[31455]: Could not retrieve catalog
from remote server: Error 403 on SERVER: Forbidden request:
server02(129.228.244.162) access to /catalog/server1 [find]
authenticated  at line 0
Apr 29 10:00:35 server1 puppetd[31455]: Using cached catalog
Apr 29 10:00:35 server1 puppetd[31455]: Could not retrieve catalog;
skipping run

on the master (0.25.1):
Apr 29 13:03:14 masterserver puppetmasterd[3910]: Forbidden request:
server02.cbs.net(10.97.2.16) access to /catalog/server1 [find]
authenticated  at line 0
Apr 29 13:03:50 masterserver puppetmasterd[3910]: Denying access:
Forbidden request: server02.cbs.net(10.29.50.78) access to /catalog/
server1 [find] authenticated  at line 0

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Apr 29, 2010 at 1:08 PM, Jason Amato <amato_jason@yahoo.com>
wrote:
>
> All 150 , except two, clients have suddenly stopped retrieving
> catalogs from the master.  Something happened last night, no changes
> were made.  I have been running everything for many months now.
>
> Maybe something with the certificates?  I can I sync the certs from
> the master back to the clients?
Did you mean to say "can I?".  I''d want to know if that was
the root
problem first... it might not
be.

Have you tried restarting the puppetmaster and/or clients to see what happens?
Anything interesting in the logs?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

...and the answer is...

http://groups.google.com/group/puppet-dev/msg/b15e1c93bbc70fdb

This reverts commit c702f76b271515e9c42dcb923d379fbfac4c83cd and turns
it
into a documentation only fix. As it turns out, ENV should have never
been
used at all, as the Rack docs say nothing about it *and* Passenger''s
behaviour in 2.2.3 + 2.2.4 was completely broken and still is half-way
broken
in 2.2.5 (but is OK with the Rack specs).
---
 ext/rack/README                             |    4 ++--
 lib/puppet/network/http/rack/httphandler.rb |   18
------------------
 lib/puppet/network/http/rack/rest.rb        |    8 ++++----
 lib/puppet/network/http/rack/xmlrpc.rb      |    8 ++++----
 4 files changed, 10 insertions(+), 28 deletions(-)

diff --git a/ext/rack/README b/ext/rack/README
index 3bdcca5..d05d402 100644
--- a/ext/rack/README
+++ b/ext/rack/README
@@ -43,7 +43,7 @@ Make sure puppetmasterd ran at least once, so the CA
& SSL certificates
 got set up.


 Requirements:
-  Passenger version 2.2.2 or newer***
+  Passenger version 2.2.2 or 2.2.5 or newer***
   Rack version 1.0.0
   Apache 2.x
   SSL Module loaded
@@ -68,6 +68,6 @@ config.ru. Therefore, config.ru shall be owned by
the puppet user.
 *** Important note about Passenger versions:
     2.2.2 is known to work.
     2.2.3-2.2.4 are known to *NOT* work.
-    2.2.5 (when it is released) is expected to work properly again.
+    2.2.5 works again when used with Puppet 0.25.2+.
     Passenger installation doc: http://www.modrails.com/install.html


diff --git a/lib/puppet/network/http/rack/httphandler.rb b/lib/puppet/
network/http/rack/httphandler.rb
index 31aa837..e142068 100644
--- a/lib/puppet/network/http/rack/httphandler.rb
+++ b/lib/puppet/network/http/rack/httphandler.rb
@@ -12,23 +12,5 @@ class Puppet::Network::HTTP::RackHttpHandler
         raise NotImplementedError, "Your RackHttpHandler subclass is
supposed to override service(request)"
     end


-    def ssl_client_header(request)
-        env_or_request_env(Puppet[:ssl_client_header], request)
-    end
-
-    def ssl_client_verify_header(request)
-        env_or_request_env(Puppet[:ssl_client_verify_header],
request)
-    end
-
-    # Older Passenger versions passed all Environment vars in
app(env),
-    # but since 2.2.3 they (some?) are really in ENV.
-    # Mongrel, etc. may also still use request.env.
-    def env_or_request_env(var, request)
-        if ENV.include?(var)
-            ENV[var]
-        else
-            request.env[var]
-        end
-    end
 end


diff --git a/lib/puppet/network/http/rack/rest.rb b/lib/puppet/network/
http/rack/rest.rb
index bdca651..1047512 100644
--- a/lib/puppet/network/http/rack/rest.rb
+++ b/lib/puppet/network/http/rack/rest.rb
@@ -63,11 +63,11 @@ class Puppet::Network::HTTP::RackREST <
Puppet::Network::HTTP::RackHttpHandler
         result[:ip] = request.ip


         # if we find SSL info in the headers, use them to get a
hostname.
-        # try this with :ssl_client_header.
-        # For Apache you need special configuration, see ext/rack/
README.
-        if dn = ssl_client_header(request) and dn_matchdata
dn.match(/^.*?CN\s*=\s*(.*)/)
+        # try this with :ssl_client_header, which defaults should
work for
+        # Apache with StdEnvVars.
+        if dn = request.env[Puppet[:ssl_client_header]] and
dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
             result[:node] = dn_matchdata[1].to_str
-            result[:authenticated] (ssl_client_verify_header(request) ==
''SUCCESS'')
+            result[:authenticated]
(request.env[Puppet[:ssl_client_verify_header]] == ''SUCCESS'')
         else
             result[:node] = resolve_node(result)
             result[:authenticated] = false
diff --git a/lib/puppet/network/http/rack/xmlrpc.rb b/lib/puppet/
network/http/rack/xmlrpc.rb
index 9d0f486..4fc9e82 100644
--- a/lib/puppet/network/http/rack/xmlrpc.rb
+++ b/lib/puppet/network/http/rack/xmlrpc.rb
@@ -43,11 +43,11 @@ class Puppet::Network::HTTP::RackXMLRPC <
Puppet::Network::HTTP::RackHttpHandler
         ip = request.ip


         # if we find SSL info in the headers, use them to get a
hostname.
-        # try this with :ssl_client_header.
-        # For Apache you need special configuration, see ext/rack/
README.
-        if dn = ssl_client_header(request) and dn_matchdata
dn.match(/^.*?CN\s*=\s*(.*)/)
+        # try this with :ssl_client_header, which defaults should
work for
+        # Apache with StdEnvVars.
+        if dn = request.env[Puppet[:ssl_client_header]] and
dn_matchdata = dn.match(/^.*?CN\s*=\s*(.*)/)
             node = dn_matchdata[1].to_str
-            authenticated = (ssl_client_verify_header(request)
=''SUCCESS'')
+            authenticated (request.env[Puppet[:ssl_client_verify_header]] ==
''SUCCESS'')
         else
             begin
                 node = Resolv.getname(ip)
--
1.5.6.5

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.