Puppet users - May 2012 - 403 Forbidden with Passenger

Hello Puppet gurus,

I''m trying to setup a Puppet environment on CentOS 6. I got it working 
using WEBrick, but when I finally got Puppet running through Apache using 
Passenger, my Puppet node gets this "403 Forbidden" response (full
output
is attached as node.txt):

[root@puppetnode-01 ~]# puppetd --waitforcert 30 --server
>> puppetmaster.mydomain.com --debug --verbose --test
>
> ...
>
> warning: peer certificate won''t be verified in this SSL session
>
> err: Could not request certificate: Error 403 on SERVER: <!DOCTYPE HTML 
>> PUBLIC "-//IETF//DTD HTML 2.0//EN">
>
> <html><head>
>
> <title>403 Forbidden</title>
>
> </head><body>
>
> <h1>Forbidden</h1>
>
> <p>You don''t have permission to access
/production/certificate/ca
>
> on this server.</p>
>
> <hr>
>
> <address>Apache/2.2.15 (CentOS) Server at puppetmaster.mydomain.com
Port
>> 8140</address>
>
> </body></html>
>
>
At the same time, the httpd logs show this:

[root@dx-puppetmaster-01 ~]# tail -f /var/log/httpd/*
>
> ...
>
> ==> /var/log/httpd/error_log <=>
> [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155] (13)Permission 
>> denied: access to /production/certificate/ca denied
>
>
>> ==> /var/log/httpd/access_log <=>
> 10.230.100.155 - - [30/May/2012:12:46:21 -0400] "GET 
>> /production/certificate/ca? HTTP/1.1" 403 325 "-"
"-"
>
>
The steps I used to install Puppet mostly followed the attached install.sh 
script (with slight modifications). I''ve also tried to follow this
install
guide<http://www.tomhayman.co.uk/linux/install-puppet-passenger-centos-6-part/>
to
no avail.

Although I have not modified my /etc/httpd/conf/httpd.conf file, I''ve 
attached it for reference. I''ve also attached 
/etc/httpd/conf.d/passenger.conf 
and /usr/share/puppet/rack/puppetmasterd/config.ru. config.ru''s perms
are
600 puppet:root.

Both of these machines are virtualized using Citrix XenServer. Here''s
some
more info on these boxes:

[root@puppetmaster-01 ~]# cat /etc/redhat-release
CentOS release 6.2 (Final)

[root@puppetmaster-01 ~]# uname -a
Linux puppetmaster-01.datalex.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed Mar 
7 00:52:02 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux

Any help will be greatly appreciated! :)

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/od2vXGXfQqsJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 30.05.2012 19:17, Michael Altfield wrote:
>         ==> /var/log/httpd/error_log <=>
>         [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155]
>         (13)Permission denied: access to /production/certificate/ca denied
As far as I can tell, you passenger runs under a different user as the 
ca was created and thus fails. This can happen if you test as root with 
puppetmasterd and then change to the puppet user for production.

IIRC Passenger takes the user to run under from the owner of the 
config.ru file. It has to match the permissions on the ca store.


Have fun, David

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi David,

Indeed, I''ve been generating my certs by running puppetmasterd as root 
before running apache, as per all the install guides I''ve read. Which
user
should I use? The puppet user created by yum has a shell of /sbin/nologin :\

One thing I don''t understand is this error message:

You don''t have permission to access /production/certificate/ca on this
> server.

Where is this "/production/certificate/ca" path coming from? I
don''t
remember setting it up anywhere or writing it into any of the config files..

On Thursday, May 31, 2012 3:31:11 AM UTC-4, David Schmitt
wrote:
>
> On 30.05.2012 19:17, Michael Altfield wrote: 
> >         ==> /var/log/httpd/error_log <== 
> > 
> >         [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155] 
> >         (13)Permission denied: access to /production/certificate/ca 
> denied 
>
> As far as I can tell, you passenger runs under a different user as the 
> ca was created and thus fails. This can happen if you test as root with 
> puppetmasterd and then change to the puppet user for production. 
>
> IIRC Passenger takes the user to run under from the owner of the 
> config.ru file. It has to match the permissions on the ca store. 
>
>
> Have fun, David 
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/T6jkGrXAhpMJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Update: I did a chmod -R 775 /usr/share/puppet, and now I''m getting an 
"Error 500 on SERVER" response (full output is attached as node2.txt):

[root@puppetnode-01 ~]# puppetd --server puppetmaster.mydomain.com --debug
>> --verbose --no-daemonize
>
> ...
>
> err: Could not retrieve catalog; skipping run
>
> debug: Value of ''preferred_serialization_format'' (pson)
is invalid for
>> report, using default (b64_zlib_yaml)
>
> debug: report supports formats: b64_zlib_yaml raw yaml; using b64_zlib_yaml
>
> err: Could not send report: Error 500 on SERVER: <!DOCTYPE HTML PUBLIC 
>> "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
>
> <html>
>
> <head>
>
>         <meta http-equiv="Content-Type"
content="text/html; charset=UTF-8">
>
>         <meta name="generator" content="Phusion
Passenger">
>
>         <title>Ruby (Rack) application could not be
started</title>
>
> ...
>
>
And here''s the log output by apache (full output is attached as 
master2.txt):

[root@puppetmaster-01 ~]# tail -f /var/log/httpd/*
>
> ...
>
> ==> /var/log/httpd/error_log <=>
> [ pid=3661 thr=70137909916080 file=utils.rb:176 time=2012-05-31 
>> 17:26:26.053 ]: *** Exception Errno::EACCES in 
>> PhusionPassenger::Rack::ApplicationSpawner (Permission denied - 
>> /usr/lib/ruby/gems/1.8/specifications/fastthread-1.0.7.gemspec)
(process
>> 3661, thread #<Thread:0x7f9482696360>):
>
> ...
>
> ==> /var/log/httpd/access_log <=>
> 10.1.1.2 - - [31/May/2012:17:26:26 -0400] "GET 
>>
/production/file_metadatas/plugins?checksum_type=md5&ignore=---+%0A++-+.svn%0A++-+CVS%0A++-+.git&links=manage&recurse=true&
>> HTTP/1.1" 500 14180 "-" "-"
>
>
>> ==> /var/log/httpd/error_log <=>
> [ pid=3661 thr=70137909916080 file=utils.rb:176 time=2012-05-31 
>> 17:26:26.323 ]: *** Exception Errno::EACCES in 
>> PhusionPassenger::Rack::ApplicationSpawner (Permission denied - 
>> /usr/lib/ruby/gems/1.8/specifications/fastthread-1.0.7.gemspec)
(process
>> 3661, thread #<Thread:0x7f9482696360>):
>
> ...
>
> ==> /var/log/httpd/access_log <=>
> 10.1.1.2 - - [31/May/2012:17:26:26 -0400] "GET 
>> /production/file_metadata/plugins? HTTP/1.1" 500 14180
"-" "-"
>
> ...
>
> ==> /var/log/httpd/error_log <=>
> [ pid=3661 thr=70137909916080 file=utils.rb:176 time=2012-05-31 
>> 17:26:28.065 ]: *** Exception Errno::EACCES in 
>> PhusionPassenger::Rack::ApplicationSpawner (Permission denied - 
>> /usr/lib/ruby/gems/1.8/specifications/fastthread-1.0.7.gemspec)
(process
>> 3661, thread #<Thread:0x7f9482696360>):
>
> ...
>
> ==> /var/log/httpd/access_log <=>
> 10.1.1.2 - - [31/May/2012:17:26:28 -0400] "POST 
>> /production/catalog/puppetnode-01.mydomain.com HTTP/1.1" 500 14180
"-" "-"
>
>
>> ==> /var/log/httpd/error_log <=>
> [ pid=3661 thr=70137909916080 file=utils.rb:176 time=2012-05-31 
>> 17:26:28.380 ]: *** Exception Errno::EACCES in 
>> PhusionPassenger::Rack::ApplicationSpawner (Permission denied - 
>> /usr/lib/ruby/gems/1.8/specifications/fastthread-1.0.7.gemspec)
(process
>> 3661, thread #<Thread:0x7f9482696360>):
>
> ...
>
> ==> /var/log/httpd/access_log <=>
> 10.1.1.2 - - [31/May/2012:17:26:28 -0400] "PUT 
>> /production/report/puppetnode-01.mydomain.com HTTP/1.1" 500 14180
"-" "-"
>
>  
I''m not sure if this is a step forward or backward. Any help would be
much
appreciated!

On Wednesday, May 30, 2012 1:17:59 PM UTC-4, Michael Altfield
wrote:
>
> Hello Puppet gurus,
>
> I''m trying to setup a Puppet environment on CentOS 6. I got it
working
> using WEBrick, but when I finally got Puppet running through Apache using 
> Passenger, my Puppet node gets this "403 Forbidden" response
(full output
> is attached as node.txt):
>
> [root@puppetnode-01 ~]# puppetd --waitforcert 30 --server 
>>> puppetmaster.mydomain.com --debug --verbose --test
>>
>> ...
>>
>> warning: peer certificate won''t be verified in this SSL
session
>>
>> err: Could not request certificate: Error 403 on SERVER: <!DOCTYPE
HTML
>>> PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>
>> <html><head>
>>
>> <title>403 Forbidden</title>
>>
>> </head><body>
>>
>> <h1>Forbidden</h1>
>>
>> <p>You don''t have permission to access
/production/certificate/ca
>>
>> on this server.</p>
>>
>> <hr>
>>
>> <address>Apache/2.2.15 (CentOS) Server at
puppetmaster.mydomain.com Port
>>> 8140</address>
>>
>> </body></html>
>>
>>
> At the same time, the httpd logs show this:
>
> [root@dx-puppetmaster-01 ~]# tail -f /var/log/httpd/*
>>
>> ...
>>
>> ==> /var/log/httpd/error_log <=>>
>> [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155]
(13)Permission
>>> denied: access to /production/certificate/ca denied
>>
>>
>>> ==> /var/log/httpd/access_log <=>>
>> 10.230.100.155 - - [30/May/2012:12:46:21 -0400] "GET 
>>> /production/certificate/ca? HTTP/1.1" 403 325 "-"
"-"
>>
>>
> The steps I used to install Puppet mostly followed the attached install.sh 
> script (with slight modifications). I''ve also tried to follow this
> install
guide<http://www.tomhayman.co.uk/linux/install-puppet-passenger-centos-6-part/>
to
> no avail.
>
> Although I have not modified my /etc/httpd/conf/httpd.conf file,
I''ve
> attached it for reference. I''ve also attached 
> /etc/httpd/conf.d/passenger.conf and /usr/share/puppet/rack/puppetmasterd/
> config.ru. config.ru''s perms are 600 puppet:root.
>
> Both of these machines are virtualized using Citrix XenServer.
Here''s some
> more info on these boxes:
>
> [root@puppetmaster-01 ~]# cat /etc/redhat-release
> CentOS release 6.2 (Final)
>
> [root@puppetmaster-01 ~]# uname -a
> Linux puppetmaster-01.datalex.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed 
> Mar 7 00:52:02 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> Any help will be greatly appreciated! :)
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/fWXquhntL0sJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I''m having the same problem, but I never saw a solution in this thread.
I''ve been over the permissions for config.ru and /var/lib/puppet about
a
1000 times and can''t see any permissions problems.

-rw-------. 1 puppet puppet 431 Jun 18 00:07 /etc/puppet/rack/config.ru
(I''ve also tried 700, 770, 777, and 660. I tried changing ownership to 
apache.apache, puppet.apache, and apache.puppet.)

$~ ll /var/lib/puppet/
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 bucket
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 facts
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 lib
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 reports
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 rrd
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 server_data
drwxrwx---. 8 puppet puppet 4096 Jun 18 00:09 ssl
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 state
drwxrwx---. 4 puppet puppet 4096 Jun 18 01:12 yaml

Setenforce is 0.

I even went so far as to use "PassengerUser puppet" and
"PaasengerGroup
puppet" in my vhost, but that didn''t help (and has been removed).

Could someone please help me?

Thanks,
Justin

On Wednesday, May 30, 2012 12:17:59 PM UTC-5, Michael Altfield
wrote:
>
> Hello Puppet gurus,
>
> I''m trying to setup a Puppet environment on CentOS 6. I got it
working
> using WEBrick, but when I finally got Puppet running through Apache using 
> Passenger, my Puppet node gets this "403 Forbidden" response
(full output
> is attached as node.txt):
>
> [root@puppetnode-01 ~]# puppetd --waitforcert 30 --server 
>>> puppetmaster.mydomain.com --debug --verbose --test
>>
>> ...
>>
>> warning: peer certificate won''t be verified in this SSL
session
>>
>> err: Could not request certificate: Error 403 on SERVER: <!DOCTYPE
HTML
>>> PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>
>> <html><head>
>>
>> <title>403 Forbidden</title>
>>
>> </head><body>
>>
>> <h1>Forbidden</h1>
>>
>> <p>You don''t have permission to access
/production/certificate/ca
>>
>> on this server.</p>
>>
>> <hr>
>>
>> <address>Apache/2.2.15 (CentOS) Server at
puppetmaster.mydomain.com Port
>>> 8140</address>
>>
>> </body></html>
>>
>>
> At the same time, the httpd logs show this:
>
> [root@dx-puppetmaster-01 ~]# tail -f /var/log/httpd/*
>>
>> ...
>>
>> ==> /var/log/httpd/error_log <=>>
>> [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155]
(13)Permission
>>> denied: access to /production/certificate/ca denied
>>
>>
>>> ==> /var/log/httpd/access_log <=>>
>> 10.230.100.155 - - [30/May/2012:12:46:21 -0400] "GET 
>>> /production/certificate/ca? HTTP/1.1" 403 325 "-"
"-"
>>
>>
> The steps I used to install Puppet mostly followed the attached install.sh 
> script (with slight modifications). I''ve also tried to follow this
> install
guide<http://www.tomhayman.co.uk/linux/install-puppet-passenger-centos-6-part/>
to
> no avail.
>
> Although I have not modified my /etc/httpd/conf/httpd.conf file,
I''ve
> attached it for reference. I''ve also attached 
> /etc/httpd/conf.d/passenger.conf and /usr/share/puppet/rack/puppetmasterd/
> config.ru. config.ru''s perms are 600 puppet:root.
>
> Both of these machines are virtualized using Citrix XenServer.
Here''s some
> more info on these boxes:
>
> [root@puppetmaster-01 ~]# cat /etc/redhat-release
> CentOS release 6.2 (Final)
>
> [root@puppetmaster-01 ~]# uname -a
> Linux puppetmaster-01.datalex.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed 
> Mar 7 00:52:02 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux
>
> Any help will be greatly appreciated! :)
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/3A-FoU9nGokJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

jbrown,

Sorry for not posting my solution. I''ve been working on this install
for
weeks, and I *did* overcome this error, but I''ve had to overcome so
many
errors, I can''t recall the exact fix. iirc, the solution might have
been
installing rubygem-rack through yum as opposed to gems.

In any case, here''s the commands I have come up with to successfully 
install Puppet Master & puppet-dashboard on CentOS 6.2. (Note: this is 
incomplete: I''m still working on getting the Inventory Service up and 
running, and this install procedure still needs some hardening). FWIW:

# run this on just the Puppet Master, which should be running CentOS 6

# Generate Entropy for random-seed from Gold Image for Cert Generation

wget -O /var/lib/random-seed 
http://www.random.org/cgi-bin/randbyte?nbytes=200
# Configure DNS

echo "10.10.10.2 dashboard puppet" >> /etc/hosts

# skip this if DNS is setup properly
echo "10.10.10.3 puppetnode-01 puppetnode-01.mydomain.com" >>
/etc/hosts
echo "10.10.10.4 puppetnode-02 puppetnode-02.mydomain.com" >>
/etc/hosts
# …
# Add Repository - yum.puppetlabs.com

cat > /etc/yum.repos.d/puppetlabs.repo <<DELIM
[puppetlabs]
name=puppetlabs
enabled=1
baseurl=http://yum.puppetlabs.com/el/6/products/x86_64/
gpgcheck=0

DELIM
# Add Repository - EPEL

rpm -ivh 
https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

# Apply Changes to yum
yum -y update
# Install Dependencies - yum

yum -y install gcc-c++ make httpd httpd-devel mod_ssl puppet ruby-devel 
rubygem-rack curl-devel openssl-devel zlib-devel
# Install Dependencies - passenger

# this next command tends to fail 10% of the time with "ERROR: 
http://rubygems.org/ does not appear to be a repository". If this happens, 
just try again in a few minutes. The website is probably experiencing 
overload.
gem install passenger
passenger-install-apache2-module -a
# Configure Puppet

# create backup
cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.`date 
"+%Y%m%d%H%M%S"`.orig

# clobber old puppet.conf
cat > /etc/puppet/puppet.conf << DELIM
[main]
logdir = /var/log/puppet
vardir = /var/lib/puppet
confdir = /etc/puppet
ssldir = /var/lib/puppet/ssl
rundir = /var/run/puppet
factpath = $vardir/lib/facter
templatedir = $confdir/templates

[master]
certname = 12345
dns_alt_names = puppet,dashboard,1234,12345
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

reports = store, http
reporturl = http://12345:8080/reports/upload

[agent]
server = dashboard
report = true

[cert]
autosign = false

DELIM

# replace all instances of 12345 in puppet.conf with the FQDN
sed -e s,12345,`hostname`,g -i /etc/puppet/puppet.conf
# Puppet Master config.ru - Create

mkdir -p /usr/share/puppet/rack/puppetmasterd
mkdir /usr/share/puppet/rack/puppetmasterd/public
mkdir /usr/share/puppet/rack/puppetmasterd/tmp

cat > /usr/share/puppet/rack/puppetmasterd/config.ru <<DELIM
ARGV << "--rack"
require ''puppet/application/master''
run Puppet::Application[:master].run
#eof

DELIM
# Puppet Master config.ru - Permissons 

chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru
# Configure puppet-master.conf - Apache vhost

cat > /etc/httpd/conf.d/puppet-master.conf << DELIM
## Puppetmaster Apache Vhost Configuration

# Update the paths of the next 2 lines to match your installed version of 
passenger
LoadModule passenger_module 
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.13/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13
PassengerRuby /usr/bin/ruby

## Passenger Limits
PassengerHighPerformance On
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Listen 8140

<VirtualHost *:8140>
ServerName puppetmaster-01.mydomain.com

SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA

SSLCertificateFile /var/lib/puppet/ssl/certs/12345.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/12345.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem

## CRL checking should be enabled; if you have problems with
## Apache complaining about the CRL, disable the next line
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars

## The following client headers allow the same configuration
## to work with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

RackAutoDetect On

DocumentRoot /usr/share/puppet/rack/puppetmasterd/public

<Directory "/usr/share/puppet/rack/puppetmasterd">
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>

DELIM

# replace all instances of 12345 in puppet-master.conf with the hostname
sed -e s,12345,`hostname`,g -i /etc/httpd/conf.d/puppet-master.conf
# Generate Puppet Master Certificates

# run this command to generate the puppet master certificates. Once you see 
the line:
#     "notice: Signed certificate request for
puppetmaster-01.mydomain.com"
# you should press ctrl+c to shutdown the WEBrick-powered puppet master 
process
# and proceed with the installation below

puppet master --verbose --no-daemonize --debug
# Start Puppet Master in Apache

service httpd start
# Install puppet-dashboard Dependencies

yum -y install ruby-mysql rubygem-rake mysql mysql-server
# Install puppet-dashboard

yum -y install puppet-dashboard
# Start mysql server

service mysqld start
# Set mysql server''s root password

mysqladmin -u root password ''password''
# Create production/development DB

mysql -u root -p << DELIM
CREATE DATABASE dashboard CHARACTER SET utf8;
CREATE USER ''dashboard''@''localhost''
IDENTIFIED BY ''password'';
GRANT ALL PRIVILEGES ON dashboard.* to
''dashboard''@''localhost'';

DELIM
# Configure puppet-dashboard - database.yml

cd /usr/share/puppet-dashboard

# create backup
cp /usr/share/puppet-dashboard/config/database.yml 
/usr/share/puppet-dashboard/config/database.yml.`date
"+%Y%m%d%H%M%S"`.orig

# clobber old database.yml
cat > /usr/share/puppet-dashboard/config/database.yml << DELIM
production:
 adapter: mysql
 database: dashboard
 username: dashboard
 password: password
 encoding: utf8

development:
 adapter: mysql
 database: dashboard
 username: dashboard
 password: password
 encoding: utf8

test:
 adapter: mysql
 database: dashboard_test
 username: dashboard_test
 password: password
 encoding: utf8

DELIM

# create DB tables
rake db:migrate
# Create settings.yml

# create from example
cp config/settings.yml.example config/settings.yml

# modify
sed "s^cn_name:.*^cn_name: ''dashboard''^" -i
config/settings.yml
#sed "s^ca_crl_path:.*^#ca_crl_path: ''''^" -i
config/settings.yml
#sed "s^ca_certificate_path:.*^#ca_certificate_path:
''''^" -i
config/settings.yml
#sed "s^certificate_path:.*^certificate_path: 
''certs/puppet-dashboard.crt''^" -i config/settings.yml
#sed "s^private_key_path:.*^private_key_path: 
''certs/puppet-dashboard.prv''^" -i config/settings.yml
#sed "s^public_key_path:.*^#public_key_path: ''''^" -i
config/settings.yml
sed "s^ca_server:.*^ca_server: ''`hostname`''^" -i
config/settings.yml
# Generate puppet-dashboard Keypair

# TODO: min permissions
chmod -R 777 /usr/lib/ruby/gems/1.8/gems/rake-*
chmod 755 /usr/lib/ruby/gems/1.8/specifications/*.gemspec
mkdir certs
chown puppet-dashboard certs

sudo -u puppet-dashboard rake cert:create_key_pair
# Request puppet-dashboard Cert Signature from the Puppet Master

# set some necessary permissions first
chmod -R 755 /usr/share/puppet
chown -R puppet:puppet-dashboard /usr/lib/ruby/gems/1.8/gems/passenger-*

rake cert:request
# Sign the puppet`hostname`-dashboard certs

puppet cert sign dashboard
# Retrieve remaining certificate files

sudo -u puppet-dashboard rake cert:retrieve
# Update external_node script (see Configuring puppet-dashboard)

# create backup
cp bin/external_node bin/external_node.`date "+%Y%m%d%H%M%S"`.orig

# modify
sed ''s%^DASHBOARD_URL.*:.*%DASHBOARD_URL =
"https://localhost:443"%'' -i
bin/external_node
sed ''s%^CERT_PATH.*%CERT_PATH =
"/var/lib/puppet/ssl/certs/12345.pem"%'' -i
bin/external_node
sed ''s%^PKEY_PATH.*%PKEY_PATH = 
"/var/lib/puppet/ssl/private_keys/12345.pem"%'' -i
bin/external_node
sed ''s%^CA_PATH.*%CA_PATH =
"/var/lib/puppet/ssl/certs/ca.pem"%'' -i
bin/external_node

# replace all instances of 12345 with the hostname
sed -e s,12345,`hostname`,g -i bin/external_node
# Disable ssl.conf vhost so that puppet-dashboard is the only *:443 vhost

# remove the <VritualHost … </VirtualHost> stanza entirely
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.`date 
"+%Y%m%d%H%M%S"`.orig
vim /etc/httpd/conf.d/ssl.conf
# Configure puppet-dashboard.conf - Apache vhost

cat > /etc/httpd/conf.d/puppet-dashboard.conf << DELIM
## puppet-dashboard Apache Vhost Configuration

<VirtualHost *:443>

SSLEngine On
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

SSLCertificateFile /usr/share/puppet-dashboard/certs/dashboard.cert.pem
SSLCertificateKeyFile 
/usr/share/puppet-dashboard/certs/dashboard.private_key.pem
SSLCACertificateFile /usr/share/puppet-dashboard/certs/dashboard.ca_cert.pem

# If Apache complains about invalid signatures on the CRL, you can try 
disabling
# CRL checking by commenting the next line, but this is not recommended
SSLCARevocationFile /usr/share/puppet-dashboard/certs/dashboard.ca_crl.pem


SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars

RackAutoDetect On
RackBaseURI /

# If debugging, comment this next line to use the "development" env
SetEnv RAILS_ENV production

ServerName puppetmaster-01.mydomain.com
DocumentRoot /usr/share/puppet-dashboard/public/
<Directory /usr/share/puppet-dashboard/public/>
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>

# For report submission from masters.
<Location /reports/upload>
<Limit POST>
# Configuration restricts HTTP actions to POST only
Order allow,deny
Allow from 127.0.0.1
Allow from all
Satisfy any
</Limit>
</Location>

# For node definitions from masters.
<Location /nodes>
<Limit GET>
# Configuration restricts HTTP actions to GET only
Order allow,deny
Allow from 127.0.0.1
Allow from all
Satisfy any
</Limit>
</Location>

# For web access by humans.
<Location / >
Order allow,deny
Satisfy any
AuthName "Puppet Dashboard"
AuthType Basic
AuthUserFile /usr/share/puppet-dashboard/.htpasswd
Require valid-user
</Location>

ServerSignature On

# Logs
ErrorLog /var/log/httpd/puppet-dashboard_error.log
LogLevel warn
CustomLog /var/log/httpd/puppet-dashboard_access.log combined
CustomLog /var/log/httpd/puppet-dashboard_ssl-request.log "%t %h 
%{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

# This redundant vhost is a hack that allows the puppet master to submit 
reports
# over http (see this thread for more info:
# 
https://groups.google.com/forum/?fromgroups#!topic/puppet-users/7EmUtw87-pw/discussion
)
# DO NOT USE THIS CONFIGURATION IF YOUR PUPPET MASTER IS NOT ON THE SAME 
SERVER
# AS PUPPET-DASHBOARD! If these 2 services are on different machines, you 
will
# be sending all your report data unencrypted across the network.
# Also, DON''T FORGET TO CONFIGURE YOUR LOCAL FIREWALL to block all
access to
# port 8080, except from 127.0.0.1

Listen 8080
<VirtualHost *:8080>

RackAutoDetect On
RackBaseURI /

# If debugging, comment this next line to use the "development" env
SetEnv RAILS_ENV production

ServerName puppetmaster-01.mydomain.com
DocumentRoot /usr/share/puppet-dashboard/public/
<Directory /usr/share/puppet-dashboard/public/>
Options None
AllowOverride None
Order allow,deny
Allow from all
</Directory>

ServerSignature On

# Logs
ErrorLog /var/log/httpd/puppet-dashboard-8080.log
LogLevel warn
CustomLog /var/log/httpd/puppet-dashboard-8080.log combined
CustomLog /var/log/httpd/puppet-dashboard-8080-request.log "%t %h 
%{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

DELIM
# Create .htpasswd file for Basic Apache Auth to puppet-dashboard

htpasswd -c /usr/share/puppet-dashboard/.htpasswd hosting
# puppet-dashboard config.ru

# TODO: determine if this is necessary
cp /usr/share/puppet-dashboard/vendor/rails/railties/dispatches/config.ru 
/usr/share/puppet-dashboard/
chown puppet-dashboard:puppet-dashboard 
/usr/share/puppet-dashboard/config.ru
# Optimize - mysql

# (increase mysql''s max_allowed_packet to 32 megabytes) see official 
puppet-dashboard install guide
sed ''s/\[mysqld_safe\]/max_allowed_packet =
32M\n\n\[mysql_safe\]/''
--in-place=.`date "+%Y%m%d%H%M%S"`.orig /etc/my.cnf

# apply configuration changes
service mysqld restart
# Configure iptables

# TODO
iptables -F
# Disable Puppet-related Daemons

/etc/init.d/puppet stop
/etc/init.d/puppet-dashboard stop
/etc/init.d/httpd stop
# Prevent WEBrick-powered services from starting on boot

chkconfig puppet off
chkconfig puppet-dashboard off
# Make necessary services start on boot

chkconfig puppet-dashboard-workers on
chkconfig httpd on
# Restart Apache to start puppet-dashboard

service httpd restart
# Start the puppet-dashboard-workers process

service puppet-dashboard-workers start
# Finally, Start the Puppet Master''s own Puppet Node process

service puppet start

On Monday, June 18, 2012 12:11:38 PM UTC-4, jbrown
wrote:
>
> I''m having the same problem, but I never saw a solution in this
thread.
> I''ve been over the permissions for config.ru and /var/lib/puppet
about a
> 1000 times and can''t see any permissions problems.
>
> -rw-------. 1 puppet puppet 431 Jun 18 00:07 /etc/puppet/rack/config.ru
> (I''ve also tried 700, 770, 777, and 660. I tried changing
ownership to
> apache.apache, puppet.apache, and apache.puppet.)
>
> $~ ll /var/lib/puppet/
> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 bucket
> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 facts
> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 lib
> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 reports
> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 rrd
> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 server_data
> drwxrwx---. 8 puppet puppet 4096 Jun 18 00:09 ssl
> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 state
> drwxrwx---. 4 puppet puppet 4096 Jun 18 01:12 yaml
>
> Setenforce is 0.
>
> I even went so far as to use "PassengerUser puppet" and
"PaasengerGroup
> puppet" in my vhost, but that didn''t help (and has been
removed).
>
> Could someone please help me?
>
> Thanks,
> Justin
>
> On Wednesday, May 30, 2012 12:17:59 PM UTC-5, Michael Altfield wrote:
>>
>> Hello Puppet gurus,
>>
>> I''m trying to setup a Puppet environment on CentOS 6. I got it
working
>> using WEBrick, but when I finally got Puppet running through Apache
using
>> Passenger, my Puppet node gets this "403 Forbidden" response
(full output
>> is attached as node.txt):
>>
>> [root@puppetnode-01 ~]# puppetd --waitforcert 30 --server 
>>>> puppetmaster.mydomain.com --debug --verbose --test
>>>
>>> ...
>>>
>>> warning: peer certificate won''t be verified in this SSL
session
>>>
>>> err: Could not request certificate: Error 403 on SERVER:
<!DOCTYPE HTML
>>>> PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>
>>> <html><head>
>>>
>>> <title>403 Forbidden</title>
>>>
>>> </head><body>
>>>
>>> <h1>Forbidden</h1>
>>>
>>> <p>You don''t have permission to access
/production/certificate/ca
>>>
>>> on this server.</p>
>>>
>>> <hr>
>>>
>>> <address>Apache/2.2.15 (CentOS) Server at
puppetmaster.mydomain.comPort 8140</address>
>>>
>>> </body></html>
>>>
>>>
>> At the same time, the httpd logs show this:
>>
>> [root@dx-puppetmaster-01 ~]# tail -f /var/log/httpd/*
>>>
>>> ...
>>>
>>> ==> /var/log/httpd/error_log <=>>>
>>> [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155] 
>>>> (13)Permission denied: access to /production/certificate/ca
denied
>>>
>>>
>>>> ==> /var/log/httpd/access_log <=>>>
>>> 10.230.100.155 - - [30/May/2012:12:46:21 -0400] "GET 
>>>> /production/certificate/ca? HTTP/1.1" 403 325
"-" "-"
>>>
>>>
>> The steps I used to install Puppet mostly followed the attached 
>> install.sh script (with slight modifications). I''ve also tried
to follow this
>> install
guide<http://www.tomhayman.co.uk/linux/install-puppet-passenger-centos-6-part/>
to
>> no avail.
>>
>> Although I have not modified my /etc/httpd/conf/httpd.conf file,
I''ve
>> attached it for reference. I''ve also attached 
>> /etc/httpd/conf.d/passenger.conf and
/usr/share/puppet/rack/puppetmasterd/
>> config.ru. config.ru''s perms are 600 puppet:root.
>>
>> Both of these machines are virtualized using Citrix XenServer.
Here''s
>> some more info on these boxes:
>>
>> [root@puppetmaster-01 ~]# cat /etc/redhat-release
>> CentOS release 6.2 (Final)
>>
>> [root@puppetmaster-01 ~]# uname -a
>> Linux puppetmaster-01.datalex.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed 
>> Mar 7 00:52:02 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux
>>
>> Any help will be greatly appreciated! :)
>>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/XjTBWzNFyhsJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Michael,

Thanks for the quick response. I''ll take a closer look at the
instructions
and see if they work in my environment. 

I appreciate the thoughtful reply.

Cheers,
Justin

On Monday, June 18, 2012 12:31:28 PM UTC-5, Michael Altfield
wrote:
>
> jbrown,
>
> Sorry for not posting my solution. I''ve been working on this
install for
> weeks, and I *did* overcome this error, but I''ve had to overcome
so many
> errors, I can''t recall the exact fix. iirc, the solution might
have been
> installing rubygem-rack through yum as opposed to gems.
>
> In any case, here''s the commands I have come up with to
successfully
> install Puppet Master & puppet-dashboard on CentOS 6.2. (Note: this is 
> incomplete: I''m still working on getting the Inventory Service up
and
> running, and this install procedure still needs some hardening). FWIW:
>
> # run this on just the Puppet Master, which should be running CentOS 6
>
> # Generate Entropy for random-seed from Gold Image for Cert Generation
>
> wget -O /var/lib/random-seed 
> http://www.random.org/cgi-bin/randbyte?nbytes=200
> # Configure DNS
>
> echo "10.10.10.2 dashboard puppet" >> /etc/hosts
>
> # skip this if DNS is setup properly
> echo "10.10.10.3 puppetnode-01 puppetnode-01.mydomain.com"
>> /etc/hosts
> echo "10.10.10.4 puppetnode-02 puppetnode-02.mydomain.com"
>> /etc/hosts
> # …
> # Add Repository - yum.puppetlabs.com
>
> cat > /etc/yum.repos.d/puppetlabs.repo <<DELIM
> [puppetlabs]
> name=puppetlabs
> enabled=1
> baseurl=http://yum.puppetlabs.com/el/6/products/x86_64/
> gpgcheck=0
>
> DELIM
> # Add Repository - EPEL
>
> rpm -ivh 
> https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm
>
> # Apply Changes to yum
> yum -y update
> # Install Dependencies - yum
>
> yum -y install gcc-c++ make httpd httpd-devel mod_ssl puppet ruby-devel 
> rubygem-rack curl-devel openssl-devel zlib-devel
> # Install Dependencies - passenger
>
> # this next command tends to fail 10% of the time with "ERROR: 
> http://rubygems.org/ does not appear to be a repository". If this 
> happens, just try again in a few minutes. The website is probably 
> experiencing overload.
> gem install passenger
> passenger-install-apache2-module -a
> # Configure Puppet
>
> # create backup
> cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.`date 
> "+%Y%m%d%H%M%S"`.orig
>
> # clobber old puppet.conf
> cat > /etc/puppet/puppet.conf << DELIM
> [main]
> logdir = /var/log/puppet
> vardir = /var/lib/puppet
> confdir = /etc/puppet
> ssldir = /var/lib/puppet/ssl
> rundir = /var/run/puppet
> factpath = $vardir/lib/facter
> templatedir = $confdir/templates
>
> [master]
> certname = 12345
> dns_alt_names = puppet,dashboard,1234,12345
> ssl_client_header = SSL_CLIENT_S_DN
> ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> reports = store, http
> reporturl = http://12345:8080/reports/upload
>
> [agent]
> server = dashboard
> report = true
>
> [cert]
> autosign = false
>
> DELIM
>
> # replace all instances of 12345 in puppet.conf with the FQDN
> sed -e s,12345,`hostname`,g -i /etc/puppet/puppet.conf
> # Puppet Master config.ru - Create
>
> mkdir -p /usr/share/puppet/rack/puppetmasterd
> mkdir /usr/share/puppet/rack/puppetmasterd/public
> mkdir /usr/share/puppet/rack/puppetmasterd/tmp
>
> cat > /usr/share/puppet/rack/puppetmasterd/config.ru <<DELIM
> ARGV << "--rack"
> require ''puppet/application/master''
> run Puppet::Application[:master].run
> #eof
>
> DELIM
> # Puppet Master config.ru - Permissons 
>
> chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru
> # Configure puppet-master.conf - Apache vhost
>
> cat > /etc/httpd/conf.d/puppet-master.conf << DELIM
> ## Puppetmaster Apache Vhost Configuration
>
> # Update the paths of the next 2 lines to match your installed version of 
> passenger
> LoadModule passenger_module 
> /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13/ext/apache2/mod_passenger.so
> PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13
> PassengerRuby /usr/bin/ruby
>
> ## Passenger Limits
> PassengerHighPerformance On
> PassengerMaxPoolSize 12
> PassengerPoolIdleTime 1500
> PassengerMaxRequests 1000
> PassengerStatThrottleRate 120
> RackAutoDetect Off
> RailsAutoDetect Off
>
> Listen 8140
>
> <VirtualHost *:8140>
> ServerName puppetmaster-01.mydomain.com
>
> SSLEngine on
> SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
>
> SSLCertificateFile /var/lib/puppet/ssl/certs/12345.pem
> SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/12345.pem
> SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
> SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
>
> ## CRL checking should be enabled; if you have problems with
> ## Apache complaining about the CRL, disable the next line
> SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
> SSLVerifyClient optional
> SSLVerifyDepth 1
> SSLOptions +StdEnvVars
>
> ## The following client headers allow the same configuration
> ## to work with Pound.
> RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> RackAutoDetect On
>
> DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
>
> <Directory "/usr/share/puppet/rack/puppetmasterd">
> Options None
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
> </VirtualHost>
>
> DELIM
>
> # replace all instances of 12345 in puppet-master.conf with the hostname
> sed -e s,12345,`hostname`,g -i /etc/httpd/conf.d/puppet-master.conf
> # Generate Puppet Master Certificates
>
> # run this command to generate the puppet master certificates. Once you 
> see the line:
> #     "notice: Signed certificate request for
puppetmaster-01.mydomain.com
> "
> # you should press ctrl+c to shutdown the WEBrick-powered puppet master 
> process
> # and proceed with the installation below
>
> puppet master --verbose --no-daemonize --debug
> # Start Puppet Master in Apache
>
> service httpd start
> # Install puppet-dashboard Dependencies
>
> yum -y install ruby-mysql rubygem-rake mysql mysql-server
> # Install puppet-dashboard
>
> yum -y install puppet-dashboard
> # Start mysql server
>
> service mysqld start
> # Set mysql server''s root password
>
> mysqladmin -u root password ''password''
> # Create production/development DB
>
> mysql -u root -p << DELIM
> CREATE DATABASE dashboard CHARACTER SET utf8;
> CREATE USER ''dashboard''@''localhost''
IDENTIFIED BY ''password'';
> GRANT ALL PRIVILEGES ON dashboard.* to
''dashboard''@''localhost'';
>
> DELIM
> # Configure puppet-dashboard - database.yml
>
> cd /usr/share/puppet-dashboard
>
> # create backup
> cp /usr/share/puppet-dashboard/config/database.yml 
> /usr/share/puppet-dashboard/config/database.yml.`date
"+%Y%m%d%H%M%S"`.orig
>
> # clobber old database.yml
> cat > /usr/share/puppet-dashboard/config/database.yml << DELIM
> production:
>  adapter: mysql
>  database: dashboard
>  username: dashboard
>  password: password
>  encoding: utf8
>
> development:
>  adapter: mysql
>  database: dashboard
>  username: dashboard
>  password: password
>  encoding: utf8
>
> test:
>  adapter: mysql
>  database: dashboard_test
>  username: dashboard_test
>  password: password
>  encoding: utf8
>
> DELIM
>
> # create DB tables
> rake db:migrate
> # Create settings.yml
>
> # create from example
> cp config/settings.yml.example config/settings.yml
>
> # modify
> sed "s^cn_name:.*^cn_name: ''dashboard''^" -i
config/settings.yml
> #sed "s^ca_crl_path:.*^#ca_crl_path: ''''^" -i
config/settings.yml
> #sed "s^ca_certificate_path:.*^#ca_certificate_path:
''''^" -i
> config/settings.yml
> #sed "s^certificate_path:.*^certificate_path: 
> ''certs/puppet-dashboard.crt''^" -i
config/settings.yml
> #sed "s^private_key_path:.*^private_key_path: 
> ''certs/puppet-dashboard.prv''^" -i
config/settings.yml
> #sed "s^public_key_path:.*^#public_key_path:
''''^" -i config/settings.yml
> sed "s^ca_server:.*^ca_server: ''`hostname`''^"
-i config/settings.yml
> # Generate puppet-dashboard Keypair
>
> # TODO: min permissions
> chmod -R 777 /usr/lib/ruby/gems/1.8/gems/rake-*
> chmod 755 /usr/lib/ruby/gems/1.8/specifications/*.gemspec
> mkdir certs
> chown puppet-dashboard certs
>
> sudo -u puppet-dashboard rake cert:create_key_pair
> # Request puppet-dashboard Cert Signature from the Puppet Master
>
> # set some necessary permissions first
> chmod -R 755 /usr/share/puppet
> chown -R puppet:puppet-dashboard /usr/lib/ruby/gems/1.8/gems/passenger-*
>
> rake cert:request
> # Sign the puppet`hostname`-dashboard certs
>
> puppet cert sign dashboard
> # Retrieve remaining certificate files
>
> sudo -u puppet-dashboard rake cert:retrieve
> # Update external_node script (see Configuring puppet-dashboard)
>
> # create backup
> cp bin/external_node bin/external_node.`date
"+%Y%m%d%H%M%S"`.orig
>
> # modify
> sed ''s%^DASHBOARD_URL.*:.*%DASHBOARD_URL =
"https://localhost:443"%'' -i
> bin/external_node
> sed ''s%^CERT_PATH.*%CERT_PATH =
"/var/lib/puppet/ssl/certs/12345.pem"%'' -i
> bin/external_node
> sed ''s%^PKEY_PATH.*%PKEY_PATH = 
> "/var/lib/puppet/ssl/private_keys/12345.pem"%'' -i
bin/external_node
> sed ''s%^CA_PATH.*%CA_PATH =
"/var/lib/puppet/ssl/certs/ca.pem"%'' -i
> bin/external_node
>
> # replace all instances of 12345 with the hostname
> sed -e s,12345,`hostname`,g -i bin/external_node
> # Disable ssl.conf vhost so that puppet-dashboard is the only *:443 vhost
>
> # remove the <VritualHost … </VirtualHost> stanza entirely
> cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.`date 
> "+%Y%m%d%H%M%S"`.orig
> vim /etc/httpd/conf.d/ssl.conf
> # Configure puppet-dashboard.conf - Apache vhost
>
> cat > /etc/httpd/conf.d/puppet-dashboard.conf << DELIM
> ## puppet-dashboard Apache Vhost Configuration
>
> <VirtualHost *:443>
>
> SSLEngine On
> SSLProtocol -ALL +SSLv3 +TLSv1
> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>
> SSLCertificateFile /usr/share/puppet-dashboard/certs/dashboard.cert.pem
> SSLCertificateKeyFile 
> /usr/share/puppet-dashboard/certs/dashboard.private_key.pem
> SSLCACertificateFile 
> /usr/share/puppet-dashboard/certs/dashboard.ca_cert.pem
>
> # If Apache complains about invalid signatures on the CRL, you can try 
> disabling
> # CRL checking by commenting the next line, but this is not recommended
> SSLCARevocationFile /usr/share/puppet-dashboard/certs/dashboard.ca_crl.pem
>
>
> SSLVerifyClient optional
> SSLVerifyDepth 1
> SSLOptions +StdEnvVars
>
> RackAutoDetect On
> RackBaseURI /
>
> # If debugging, comment this next line to use the "development"
env
> SetEnv RAILS_ENV production
>
> ServerName puppetmaster-01.mydomain.com
> DocumentRoot /usr/share/puppet-dashboard/public/
> <Directory /usr/share/puppet-dashboard/public/>
> Options None
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
> # For report submission from masters.
> <Location /reports/upload>
> <Limit POST>
> # Configuration restricts HTTP actions to POST only
> Order allow,deny
> Allow from 127.0.0.1
> Allow from all
> Satisfy any
> </Limit>
> </Location>
>
> # For node definitions from masters.
> <Location /nodes>
> <Limit GET>
> # Configuration restricts HTTP actions to GET only
> Order allow,deny
> Allow from 127.0.0.1
> Allow from all
> Satisfy any
> </Limit>
> </Location>
>
> # For web access by humans.
> <Location / >
> Order allow,deny
> Satisfy any
> AuthName "Puppet Dashboard"
> AuthType Basic
> AuthUserFile /usr/share/puppet-dashboard/.htpasswd
> Require valid-user
> </Location>
>
> ServerSignature On
>
> # Logs
> ErrorLog /var/log/httpd/puppet-dashboard_error.log
> LogLevel warn
> CustomLog /var/log/httpd/puppet-dashboard_access.log combined
> CustomLog /var/log/httpd/puppet-dashboard_ssl-request.log "%t %h 
> %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
>
> # This redundant vhost is a hack that allows the puppet master to submit 
> reports
> # over http (see this thread for more info:
> # 
>
https://groups.google.com/forum/?fromgroups#!topic/puppet-users/7EmUtw87-pw/discussion)
> # DO NOT USE THIS CONFIGURATION IF YOUR PUPPET MASTER IS NOT ON THE SAME 
> SERVER
> # AS PUPPET-DASHBOARD! If these 2 services are on different machines, you 
> will
> # be sending all your report data unencrypted across the network.
> # Also, DON''T FORGET TO CONFIGURE YOUR LOCAL FIREWALL to block all
access
> to
> # port 8080, except from 127.0.0.1
>
> Listen 8080
> <VirtualHost *:8080>
>
> RackAutoDetect On
> RackBaseURI /
>
> # If debugging, comment this next line to use the "development"
env
> SetEnv RAILS_ENV production
>
> ServerName puppetmaster-01.mydomain.com
> DocumentRoot /usr/share/puppet-dashboard/public/
> <Directory /usr/share/puppet-dashboard/public/>
> Options None
> AllowOverride None
> Order allow,deny
> Allow from all
> </Directory>
>
> ServerSignature On
>
> # Logs
> ErrorLog /var/log/httpd/puppet-dashboard-8080.log
> LogLevel warn
> CustomLog /var/log/httpd/puppet-dashboard-8080.log combined
> CustomLog /var/log/httpd/puppet-dashboard-8080-request.log "%t %h 
> %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
> </VirtualHost>
>
> DELIM
> # Create .htpasswd file for Basic Apache Auth to puppet-dashboard
>
> htpasswd -c /usr/share/puppet-dashboard/.htpasswd hosting
> # puppet-dashboard config.ru
>
> # TODO: determine if this is necessary
> cp
/usr/share/puppet-dashboard/vendor/rails/railties/dispatches/config.ru/usr/share/puppet-dashboard/
> chown puppet-dashboard:puppet-dashboard /usr/share/puppet-dashboard/
> config.ru
> # Optimize - mysql
>
> # (increase mysql''s max_allowed_packet to 32 megabytes) see
official
> puppet-dashboard install guide
> sed ''s/\[mysqld_safe\]/max_allowed_packet =
32M\n\n\[mysql_safe\]/''
> --in-place=.`date "+%Y%m%d%H%M%S"`.orig /etc/my.cnf
>
> # apply configuration changes
> service mysqld restart
> # Configure iptables
>
> # TODO
> iptables -F
> # Disable Puppet-related Daemons
>
> /etc/init.d/puppet stop
> /etc/init.d/puppet-dashboard stop
> /etc/init.d/httpd stop
> # Prevent WEBrick-powered services from starting on boot
>
> chkconfig puppet off
> chkconfig puppet-dashboard off
> # Make necessary services start on boot
>
> chkconfig puppet-dashboard-workers on
> chkconfig httpd on
> # Restart Apache to start puppet-dashboard
>
> service httpd restart
> # Start the puppet-dashboard-workers process
>
> service puppet-dashboard-workers start
> # Finally, Start the Puppet Master''s own Puppet Node process
>
> service puppet start
>
> On Monday, June 18, 2012 12:11:38 PM UTC-4, jbrown wrote:
>>
>> I''m having the same problem, but I never saw a solution in
this thread.
>> I''ve been over the permissions for config.ru and
/var/lib/puppet about a
>> 1000 times and can''t see any permissions problems.
>>
>> -rw-------. 1 puppet puppet 431 Jun 18 00:07 /etc/puppet/rack/config.ru
>> (I''ve also tried 700, 770, 777, and 660. I tried changing
ownership to
>> apache.apache, puppet.apache, and apache.puppet.)
>>
>> $~ ll /var/lib/puppet/
>> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 bucket
>> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 facts
>> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 lib
>> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 reports
>> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 rrd
>> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 server_data
>> drwxrwx---. 8 puppet puppet 4096 Jun 18 00:09 ssl
>> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 state
>> drwxrwx---. 4 puppet puppet 4096 Jun 18 01:12 yaml
>>
>> Setenforce is 0.
>>
>> I even went so far as to use "PassengerUser puppet" and
"PaasengerGroup
>> puppet" in my vhost, but that didn''t help (and has been
removed).
>>
>> Could someone please help me?
>>
>> Thanks,
>> Justin
>>
>> On Wednesday, May 30, 2012 12:17:59 PM UTC-5, Michael Altfield wrote:
>>>
>>> Hello Puppet gurus,
>>>
>>> I''m trying to setup a Puppet environment on CentOS 6. I
got it working
>>> using WEBrick, but when I finally got Puppet running through Apache
using
>>> Passenger, my Puppet node gets this "403 Forbidden"
response (full output
>>> is attached as node.txt):
>>>
>>> [root@puppetnode-01 ~]# puppetd --waitforcert 30 --server 
>>>>> puppetmaster.mydomain.com --debug --verbose --test
>>>>
>>>> ...
>>>>
>>>> warning: peer certificate won''t be verified in this
SSL session
>>>>
>>>> err: Could not request certificate: Error 403 on SERVER:
<!DOCTYPE HTML
>>>>> PUBLIC "-//IETF//DTD HTML 2.0//EN">
>>>>
>>>> <html><head>
>>>>
>>>> <title>403 Forbidden</title>
>>>>
>>>> </head><body>
>>>>
>>>> <h1>Forbidden</h1>
>>>>
>>>> <p>You don''t have permission to access
/production/certificate/ca
>>>>
>>>> on this server.</p>
>>>>
>>>> <hr>
>>>>
>>>> <address>Apache/2.2.15 (CentOS) Server at
puppetmaster.mydomain.comPort 8140</address>
>>>>
>>>> </body></html>
>>>>
>>>>
>>> At the same time, the httpd logs show this:
>>>
>>> [root@dx-puppetmaster-01 ~]# tail -f /var/log/httpd/*
>>>>
>>>> ...
>>>>
>>>> ==> /var/log/httpd/error_log <=>>>>
>>>> [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155] 
>>>>> (13)Permission denied: access to /production/certificate/ca
denied
>>>>
>>>>
>>>>> ==> /var/log/httpd/access_log <=>>>>
>>>> 10.230.100.155 - - [30/May/2012:12:46:21 -0400] "GET 
>>>>> /production/certificate/ca? HTTP/1.1" 403 325
"-" "-"
>>>>
>>>>
>>> The steps I used to install Puppet mostly followed the attached 
>>> install.sh script (with slight modifications). I''ve also
tried to follow this
>>> install
guide<http://www.tomhayman.co.uk/linux/install-puppet-passenger-centos-6-part/>
to
>>> no avail.
>>>
>>> Although I have not modified my /etc/httpd/conf/httpd.conf file,
I''ve
>>> attached it for reference. I''ve also attached 
>>> /etc/httpd/conf.d/passenger.conf and
/usr/share/puppet/rack/puppetmasterd/
>>> config.ru. config.ru''s perms are 600 puppet:root.
>>>
>>> Both of these machines are virtualized using Citrix XenServer.
Here''s
>>> some more info on these boxes:
>>>
>>> [root@puppetmaster-01 ~]# cat /etc/redhat-release
>>> CentOS release 6.2 (Final)
>>>
>>> [root@puppetmaster-01 ~]# uname -a
>>> Linux puppetmaster-01.datalex.com 2.6.32-220.7.1.el6.x86_64 #1 SMP
Wed
>>> Mar 7 00:52:02 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux
>>>
>>> Any help will be greatly appreciated! :)
>>>
>>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/lFs7oF4dnZMJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.