kp-v
2012-Aug-08 17:21 UTC
[Puppet Users] Puppet Master Forbidding Access to Cert Revocation List
Hey folks;
I am having issues retrieving the catalog from my master. It seems to be an
issue with the ACLs for the /certificate_revocation_list/ca, however it
still produces an error when I set the ACLs to allow everything! I am
almost certain it has something to do with my non-default installation.
Puppet gurus please assit me. Any and all advice would be helpful. P.S. I
have not had issues with Passenger up until I changed the installation root
except excessively long (400 sec) SSL sessions for initial runs.
I am running an agent/master configuration with passenger (CentOS 6.2). I
installed puppet from source and my file structure looks like this:
/opt/puppet
- /opt/puppet/etc
- /opt/puppet/etc/puppet
- /opt/puppet/usr
- /opt/puppet/usr/bin
- /opt/puppet/usr/sbin
- /opt/puppet/usr/share
- /opt/puppet/var
- /opt/puppet/var/ssl
My master is able to receive and complete the certificate handshake
process. On an agent, after having received confirmation that the
handshake completed, it attempts to find /certificate_revocation_list/ca
but fails. It produces this error (full trace):
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:56:in
`deserialize''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in
`find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:230:in `ssl_store''
/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in
`cert_setup''
/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:98:in
`http_instance''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:71:in `network''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in
`find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:240:in
`retrieve_new_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:403:in `thinmark''
/usr/lib/ruby/1.8/benchmark.rb:308:in `realtime''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:402:in `thinmark''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:239:in
`retrieve_new_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:86:in
`retrieve_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:111:in
`retrieve_and_apply_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:150:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run''
/usr/lib/ruby/1.8/sync.rb:230:in `synchronize''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:103:in `with_client''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `call''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in
`controlled_run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in
`onetime''
/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in
`run_command''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:420:in `hook''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:411:in `exit_on_fail''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run''
/usr/sbin/puppetd:4
err: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: hostname.fqdn.int (NNN.NNN.NNN.NNN) access to
/certificate_revocation_list/ca [find] at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
The syslog on the master produces this error:
Aug 8 10:10:16 eng-puppet-vm2 puppet-master[15352]: Forbidden request:
hostname.fqdn.int (NNN.NNN.NNN.NNN) access to
/certificate_revocation_list/ca [find] at line 0
Here is a look at my configurations:
auth.conf
path /facts
method find,search
auth yes
allow hostname.fqdn.int
path ~ ^/catalog/([^/]+)$
method find
allow $1
path /certificate_revocation_list/ca
method find
allow *
path /report
method save
allow *.fqdn.int
allow NNN.NNN.NNN.NNN/16
path /file
allow *
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
path /certificate_request
auth no
method find, save
allow *
path /
auth any
puppet.conf
[main]
server = hostname.fqdn.int
logdir = /var/log/puppet
puppetdlog = /var/log/puppet/puppet.log
rundir = /var/run/puppet
#ssldir = $vardir/ssl:/etc/puppet/ssl
modulepath = /opt/puppet/etc/puppet/modules:/usr/share/puppet/modules
runinterval=900
[master]
ssldir = /opt/puppet/var/ssl
facts_terminus = yaml
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
classfile = $vardir/classes.txt
clientbucketdir = $vardir/client_bucket
clientyamldir = $vardir/client_yaml
ssldir = $vardir/ssl
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/TzboYhGnqGQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
kp-v
2012-Aug-09 18:24 UTC
[Puppet Users] Re: Puppet Master Forbidding Access to Cert Revocation List
I don''t think there is an issue with my configuration. I believe I am running into issues with indirector.rb not finding the correct terminus for my certificate revocation list. On Wednesday, August 8, 2012 10:21:05 AM UTC-7, kp-v wrote:> > Hey folks; > > I am having issues retrieving the catalog from my master. It seems to be > an issue with the ACLs for the /certificate_revocation_list/ca, however it > still produces an error when I set the ACLs to allow everything! I am > almost certain it has something to do with my non-default installation. > Puppet gurus please assit me. Any and all advice would be helpful. P.S. I > have not had issues with Passenger up until I changed the installation root > except excessively long (400 sec) SSL sessions for initial runs. > > I am running an agent/master configuration with passenger (CentOS 6.2). I > installed puppet from source and my file structure looks like this: > > /opt/puppet > > - /opt/puppet/etc > - /opt/puppet/etc/puppet > - /opt/puppet/usr > - /opt/puppet/usr/bin > - /opt/puppet/usr/sbin > - /opt/puppet/usr/share > - /opt/puppet/var > - /opt/puppet/var/ssl > > My master is able to receive and complete the certificate handshake > process. On an agent, after having received confirmation that the > handshake completed, it attempts to find /certificate_revocation_list/ca > but fails. It produces this error (full trace): > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:56:in `deserialize'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:230:in `ssl_store'' > /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in `cert_setup'' > /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:98:in > `http_instance'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:71:in `network'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:240:in > `retrieve_new_catalog'' > /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:403:in `thinmark'' > /usr/lib/ruby/1.8/benchmark.rb:308:in `realtime'' > /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:402:in `thinmark'' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:239:in > `retrieve_new_catalog'' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:86:in `retrieve_catalog'' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:111:in > `retrieve_and_apply_catalog'' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:150:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'' > /usr/lib/ruby/1.8/sync.rb:230:in `synchronize'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:103:in `with_client'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `call'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `controlled_run'' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime'' > /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in `run_command'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:420:in `hook'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:411:in `exit_on_fail'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'' > /usr/sbin/puppetd:4 > err: Could not retrieve catalog from remote server: Error 403 on SERVER: > Forbidden request: hostname.fqdn.int (NNN.NNN.NNN.NNN) access to > /certificate_revocation_list/ca [find] at line 0 > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > The syslog on the master produces this error: > Aug 8 10:10:16 eng-puppet-vm2 puppet-master[15352]: Forbidden request: > hostname.fqdn.int (NNN.NNN.NNN.NNN) access to > /certificate_revocation_list/ca [find] at line 0 > > Here is a look at my configurations: > auth.conf > > path /facts > method find,search > auth yes > allow hostname.fqdn.int > > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > path /certificate_revocation_list/ca > method find > allow * > > path /report > method save > allow *.fqdn.int > allow NNN.NNN.NNN.NNN/16 > > path /file > allow * > > path /certificate/ca > auth no > method find > allow * > > path /certificate/ > auth no > method find > allow * > > path /certificate_request > auth no > method find, save > allow * > > path / > auth any > > > puppet.conf > > [main] > server = hostname.fqdn.int > logdir = /var/log/puppet > puppetdlog = /var/log/puppet/puppet.log > rundir = /var/run/puppet > #ssldir = $vardir/ssl:/etc/puppet/ssl > modulepath = /opt/puppet/etc/puppet/modules:/usr/share/puppet/modules > runinterval=900 > [master] > ssldir = /opt/puppet/var/ssl > facts_terminus = yaml > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > [agent] > classfile = $vardir/classes.txt > clientbucketdir = $vardir/client_bucket > clientyamldir = $vardir/client_yaml > ssldir = $vardir/ssl > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/d9LhpFCkPvoJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
kp-v
2012-Aug-11 01:14 UTC
[Puppet Users] Re: Puppet Master Forbidding Access to Cert Revocation List
I was pretty close with my first guess, but I might have figured it out. I have not resolved the issue, however I am certain of the issue at hand. In 2.6.16, puppet only searches for the auth.conf file at /etc/puppet/auth.conf and this path appears to be hardcoded. Therefore, because puppet cannot find the auth.conf file, it denies access to everything (all four indirector verbs) within the / (puppet) directory. I have yet to try symlinking the file to /etc/puppet/auth.conf to attempt to fix, however this defeats the purpose of installing in /opt. I doubt that this is a bug because I followed a non-standard installation process. I will post again if I figure out how to patch it. On Thursday, August 9, 2012 11:24:52 AM UTC-7, kp-v wrote:> > I don''t think there is an issue with my configuration. I believe I am > running into issues with indirector.rb not finding the correct terminus for > my certificate revocation list. > > On Wednesday, August 8, 2012 10:21:05 AM UTC-7, kp-v wrote: >> >> Hey folks; >> >> I am having issues retrieving the catalog from my master. It seems to be >> an issue with the ACLs for the /certificate_revocation_list/ca, however it >> still produces an error when I set the ACLs to allow everything! I am >> almost certain it has something to do with my non-default installation. >> Puppet gurus please assit me. Any and all advice would be helpful. P.S. I >> have not had issues with Passenger up until I changed the installation root >> except excessively long (400 sec) SSL sessions for initial runs. >> >> I am running an agent/master configuration with passenger (CentOS 6.2). I >> installed puppet from source and my file structure looks like this: >> >> /opt/puppet >> >> - /opt/puppet/etc >> - /opt/puppet/etc/puppet >> - /opt/puppet/usr >> - /opt/puppet/usr/bin >> - /opt/puppet/usr/sbin >> - /opt/puppet/usr/share >> - /opt/puppet/var >> - /opt/puppet/var/ssl >> >> My master is able to receive and complete the certificate handshake >> process. On an agent, after having received confirmation that the >> handshake completed, it attempts to find /certificate_revocation_list/ca >> but fails. It produces this error (full trace): >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:56:in >> `deserialize'' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find'' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find'' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'' >> /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:230:in `ssl_store'' >> /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in `cert_setup'' >> /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:98:in >> `http_instance'' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:71:in `network'' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find'' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find'' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'' >> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:240:in >> `retrieve_new_catalog'' >> /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:403:in `thinmark'' >> /usr/lib/ruby/1.8/benchmark.rb:308:in `realtime'' >> /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:402:in `thinmark'' >> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:239:in >> `retrieve_new_catalog'' >> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:86:in `retrieve_catalog'' >> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:111:in >> `retrieve_and_apply_catalog'' >> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:150:in `run'' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'' >> /usr/lib/ruby/1.8/sync.rb:230:in `synchronize'' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:103:in `with_client'' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run'' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `call'' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `controlled_run'' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run'' >> /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime'' >> /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in >> `run_command'' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:420:in `hook'' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:411:in `exit_on_fail'' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'' >> /usr/sbin/puppetd:4 >> err: Could not retrieve catalog from remote server: Error 403 on SERVER: >> Forbidden request: hostname.fqdn.int (NNN.NNN.NNN.NNN) access to >> /certificate_revocation_list/ca [find] at line 0 >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> >> The syslog on the master produces this error: >> Aug 8 10:10:16 eng-puppet-vm2 puppet-master[15352]: Forbidden request: >> hostname.fqdn.int (NNN.NNN.NNN.NNN) access to >> /certificate_revocation_list/ca [find] at line 0 >> >> Here is a look at my configurations: >> auth.conf >> >> path /facts >> method find,search >> auth yes >> allow hostname.fqdn.int >> >> path ~ ^/catalog/([^/]+)$ >> method find >> allow $1 >> >> path /certificate_revocation_list/ca >> method find >> allow * >> >> path /report >> method save >> allow *.fqdn.int >> allow NNN.NNN.NNN.NNN/16 >> >> path /file >> allow * >> >> path /certificate/ca >> auth no >> method find >> allow * >> >> path /certificate/ >> auth no >> method find >> allow * >> >> path /certificate_request >> auth no >> method find, save >> allow * >> >> path / >> auth any >> >> >> puppet.conf >> >> [main] >> server = hostname.fqdn.int >> logdir = /var/log/puppet >> puppetdlog = /var/log/puppet/puppet.log >> rundir = /var/run/puppet >> #ssldir = $vardir/ssl:/etc/puppet/ssl >> modulepath = /opt/puppet/etc/puppet/modules:/usr/share/puppet/modules >> runinterval=900 >> [master] >> ssldir = /opt/puppet/var/ssl >> facts_terminus = yaml >> ssl_client_header = SSL_CLIENT_S_DN >> ssl_client_verify_header = SSL_CLIENT_VERIFY >> [agent] >> classfile = $vardir/classes.txt >> clientbucketdir = $vardir/client_bucket >> clientyamldir = $vardir/client_yaml >> ssldir = $vardir/ssl >> >>-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/34_HfY2k0rkJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.