I am following steps in ''Pro Puppet'' book to setup load balancing for puppetmaster. I am using passenger 3.0.11.9, ruby 1.8.7, puppet 2.7.12. While things were fine when it is single node configuration, after following the steps from ''Pro puppet'' book, I got the following error when running puppet agent -t: err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using ''eval_generate: Error 403 on SERVER: Forbidden request: client_hostname(client_ip_address) access to /certificate_revocation_list/ca [find] at line 99 err: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER: Forbidden request: client_hostname(client_ip_address) access to /file_metadata/plugins [find] at line 99 Could not retrieve file metadata for puppet://puppetmaster_fqdn/plugins: Error 403 on SERVER: Forbidden request: client_hostname(client_ip_address) access to /file_metadata/plugins [find] at line 99 ... err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using ''eval_generate: Error 403 on SERVER: Forbidden request: client_hostname(client_ip_address) access to /certificate_revocation_list/ca [find] at line 99 err: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER: Forbidden request: client_hostname(client_ip_address) access to /file_metadata/plugins [find] at line 99 Could not retrieve file metadata for puppet://lx-chcms01.citadelgroup.com/plugins: Error 403 on SERVER: Forbidden request: client_hostname(client_ip_address) access to /file_metadata/plugins [find] at line 99 Are there any other steps I could have missed? Thanks, Hai -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Tue, Mar 13, 2012 at 10:30 PM, hai wu <haiwu.us@gmail.com> wrote:> I am following steps in ''Pro Puppet'' book to setup load balancing for > puppetmaster. I am using passenger 3.0.11.9, ruby 1.8.7, puppet 2.7.12. > While things were fine when it is single node configuration, after following > the steps from ''Pro puppet'' book, I got the following error when running > puppet agent -t: > > err: /File[/var/lib/puppet/lib]: Failed to generate additional resources > using ''eval_generate: Error 403 on SERVER: Forbidden request: > client_hostname(client_ip_address) access to /certificate_revocation_list/ca > [find] at line 99 > err: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER: > Forbidden request: client_hostname(client_ip_address) access to > /file_metadata/plugins [find] at line 99 Could not retrieve file metadata > for puppet://puppetmaster_fqdn/plugins: Error 403 on SERVER: Forbidden > request: client_hostname(client_ip_address) access to > /file_metadata/plugins [find] at line 99Hello, This error is almost always a certificate trust issue. I suggest verifying the CA certificate used by your load balancer to verify client certificates is the same certificate used to sign the client certificates. I also recommend making sure the load balancer is properly setting the HTTP request headers that the back end Puppet masters are expecting. These headers are configurable using these two configuration settings on each master: # The header containing the status # message of the client verification. Only used with Mongrel. This header must be set by the proxy # to ''SUCCESS'' if the client successfully authenticated, and anything else otherwise. # See http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel for more information. # The default value is ''HTTP_X_CLIENT_VERIFY''. ssl_client_verify_header = HTTP_X_CLIENT_VERIFY # The header containing an authenticated # client''s SSL DN. Only used with Mongrel. This header must be set by the proxy # to the authenticated client''s SSL DN (e.g., `/CN=puppet.puppetlabs.com`). # See http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel for more information. # The default value is ''HTTP_X_CLIENT_DN''. ssl_client_header = HTTP_X_CLIENT_DN Hope this helps, -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thanks a lot Jeff!!! In puppet.conf, after changing from: ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY To: ssl_client_verify_header = HTTP_X_CLIENT_VERIFY ssl_client_header = HTTP_X_CLIENT_DN Things are working fine. I am not sure why this is the case, as in this URL at http://projects.puppetlabs.com/projects/puppet/wiki/Using_Passenger, it mentions that if using passenger, we need to set the headers as: ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY Maybe in this case using mod_proxy, it needs to be different? Thanks, Hai On Wed, Mar 14, 2012 at 2:02 PM, Jeff McCune <jeff@puppetlabs.com> wrote:> > On Tue, Mar 13, 2012 at 10:30 PM, hai wu <haiwu.us@gmail.com> wrote: > > I am following steps in ''Pro Puppet'' book to setup load balancing for > > puppetmaster. I am using passenger 3.0.11.9, ruby 1.8.7, puppet 2.7.12. > > While things were fine when it is single node configuration, after following > > the steps from ''Pro puppet'' book, I got the following error when running > > puppet agent -t: > > > > err: /File[/var/lib/puppet/lib]: Failed to generate additional resources > > using ''eval_generate: Error 403 on SERVER: Forbidden request: > > client_hostname(client_ip_address) access to /certificate_revocation_list/ca > > [find] at line 99 > > err: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER: > > Forbidden request: client_hostname(client_ip_address) access to > > /file_metadata/plugins [find] at line 99 Could not retrieve file metadata > > for puppet://puppetmaster_fqdn/plugins: Error 403 on SERVER: Forbidden > > request: client_hostname(client_ip_address) access to > > /file_metadata/plugins [find] at line 99 > > Hello, > > This error is almost always a certificate trust issue. I suggest > verifying the CA certificate used by your load balancer to verify > client certificates is the same certificate used to sign the client > certificates. I also recommend making sure the load balancer is > properly setting the HTTP request headers that the back end Puppet > masters are expecting. > > These headers are configurable using these two configuration settings > on each master: > > # The header containing the status > # message of the client verification. Only used with Mongrel. > This header must be set by the proxy > # to ''SUCCESS'' if the client successfully authenticated, and > anything else otherwise. > # See http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel > for more information. > # The default value is ''HTTP_X_CLIENT_VERIFY''. > ssl_client_verify_header = HTTP_X_CLIENT_VERIFY > > # The header containing an authenticated > # client''s SSL DN. Only used with Mongrel. This header must be > set by the proxy > # to the authenticated client''s SSL DN (e.g., `/CN=puppet.puppetlabs.com`). > # See http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel > for more information. > # The default value is ''HTTP_X_CLIENT_DN''. > ssl_client_header = HTTP_X_CLIENT_DN > > Hope this helps, > > -Jeff > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.