Jesus Roncero
2014-Feb-10 14:53 UTC
[Puppet Users] Problem configuring inventory search in puppet-dashboard
Hi all, I have a problem trying to configure puppet-dashboard when using the inventory search, and I'm running out of ideas. I have configured puppet-dashboard to run under apache passenger and following the instructions on http://docs.puppetlabs.com/dashboard/manual/1.2/configuring.html I have created the certificates as per the instructions and configured auth.conf such that it has: ----------------- path /facts auth yes method find, search allow dashboard ----------------- However, if I try to search the inventory, I get a access denied error. If I change the auth.conf file to allow everything, then everything works. I believe it's because puppet-passenger is not sending the right certificate when it's connecting to the master, and then it gets denied. This is what I get running puppet master in debug mode: ... info: access[/certificate_request]: allowing * access info: access[/facts]: adding authentication yes info: access[/facts]: allowing 'method' find info: access[/facts]: allowing 'method' search info: access[/facts]: allowing internalname.int access info: access[/facts]: allowing puppet-dashboard access info: access[/facts]: allowing dashboard access info: access[/facts]: allowing 10.0.1.114 access info: access[/]: adding authentication any info: Inserting default '/status' (auth true) ACL because none were found in '/etc/puppet/auth.conf' info: access[/]: defaulting to no access for internalname.int warning: Denying access: Forbidden request: internalname.int(10.0.1.129) access to /facts/search [search] at /etc/puppet/auth.conf:107 err: Forbidden request: internalname.int(10.0.1.129) access to /facts/search [search] at /etc/puppet/auth.conf:107 ... internalname.int is the name the IP resolves to in /etc/hosts So, it seems to me that all the puppetmaster sees is the request coming from internal name and not from a certname called 'dashboard', which is what it's configured with in /etc/puppet-dashboard/settings.yaml (the files in /usr/share/puppet-dashboard/certs exist and are readable by www-data). What makes me think that there's no cert being sent is that if I run: openssl s_server -accept 8140 to see what certificate gets presented, none appear coming from puppet-dashboard, whereas a normal puppet run does actually send a certificate that openssl can see: ACCEPT ERROR 140723219195560:error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate:s3_srvr.c:3274: shutting down SSL CONNECTION CLOSED ACCEPT Any ideas what might be wrong here? Thanks. -- Jesús Roncero Jesus Roncero Principal IT Ops Engineer t: +44 20 7092 8700 m: blinkbox music - the easiest way to listen to the music you love, for free www.blinkboxmusic.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20140210145336.GA7922%40pleuron.we7.local. For more options, visit https://groups.google.com/groups/opt_out.