Hi, We''re trying to follow the instructions at http://reductivelabs.com/trac/puppet/wiki/UsingMongrel (Just using a single puppetmaster/mongrel instance and plain mod_proxy for now, instead of balancer one) We got past the "Server is not a class" error by modifying mongrel.rb We also kind-of got past the: /opt/bin/puppetmasterd:293: undefined method `daemonize'' for #<Mongrel::HttpServer:0xb78419b4> (NoMethodError) error which you get afterwards, by starting it in the foreground for now (using --debug or --verbose) However I''m not sure how to get past this one: | notice: Denying unauthenticated client guweb05.gul3.gnl(10.250.12.78) access to puppetmaster.getconfig | /opt/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:42:in `process'' | /opt/lib/ruby/site_ruby/1.8/puppet/network/server/mongrel.rb:104:in `process'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:419:in `start'' | /opt/lib/ruby/site_ruby/1.8/puppet/network/server/mongrel.rb:101:in `process'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:618:in `process_client'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:617:in `each'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:617:in `process_client'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:736:in `run'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:736:in `initialize'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:736:in `new'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:736:in `run'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:720:in `initialize'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:720:in `new'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:720:in `run'' | /opt/bin/puppetmasterd:301 | Wed Jun 06 16:30:29 +0100 2007: ERROR: Host guweb05.gul3.gnl(10.250.12.78) not authorized to call puppetmaster.getconfig And then subsequently: | Wed Jun 06 16:05:28 +0100 2007: ERROR: Host guweb05.gul3.gnl(10.250.12.78) not authorized to call fileserver.describe | notice: Denying unauthenticated client guweb05.gul3.gnl(10.250.12.78) access to fileserver.describe | /opt/lib/ruby/site_ruby/1.8/puppet/network/xmlrpc/processor.rb:42:in `process'' | /opt/lib/ruby/site_ruby/1.8/puppet/network/server/mongrel.rb:104:in `process'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:419:in `start'' | /opt/lib/ruby/site_ruby/1.8/puppet/network/server/mongrel.rb:101:in `process'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:618:in `process_client'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:617:in `each'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:617:in `process_client'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:736:in `run'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:736:in `initialize'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:736:in `new'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:736:in `run'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:720:in `initialize'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:720:in `new'' | /opt/lib/ruby/gems/1.8/gems/mongrel-1.0.1/lib/mongrel.rb:720:in `run'' | /opt/bin/puppetmasterd:301 | Wed Jun 06 16:05:28 +0100 2007: ERROR: Host guweb05.gul3.gnl(10.250.12.78) not authorized to call fileserver.describe We (only) have the following in /etc/puppet/fileserver.conf: | [public] | path /var/puppet/fileserver | allow * And puppetmaster says when starting: | info: mount[public]: allowing * access I also tried changing "*" to the client''s IP address, doesn''t help. My guess is that before authorization, puppet somehow wants to authenticate the client using a certificate, but it''s not available, since SSL is being handled by Apache. Help! :-) -- Marcin Owsiany Web Systems Integrator - Guardian Unlimited ------------------------------------------------------------------ The Guardian Public Services Awards 2007, in partnership with Hays Public Services, recognise and reward outstanding performance from public, private and voluntary sector teams. To find out more and nominate a deserving team or individual, visit http://society.guardian.co.uk/publicservicesawards ------------------------------------------------------------------ Visit Guardian Unlimited - the UK''s most popular newspaper website http://guardian.co.uk http://observer.co.uk ------------------------------------------------------------------ The Newspaper Marketing Agency Opening Up Newspapers http://www.nmauk.co.uk ------------------------------------------------------------------ This e-mail and all attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender and delete the e-mail and all attachments immediately. Do not disclose the contents to another person. You may not use the information for any purpose, or store, or copy, it in any way. Guardian News & Media Limited is not liable for any computer viruses or other material transmitted with or as part of this e-mail. You should employ virus checking software. Guardian News & Media Limited A member of Guardian Media Group PLC Registered Office Number 1 Scott Place, Manchester M3 3GG Registered in England Number 908396
On Wed, Jun 06, 2007 at 04:57:30PM +0100, Marcin Owsiany wrote: [snip]> | Wed Jun 06 16:30:29 +0100 2007: ERROR: Host guweb05.gul3.gnl(10.250.12.78) not authorized to call puppetmaster.getconfigWhat''s in your /etc/puppet/namespaceauth.conf under [puppetmaster]? -- Jos Backus jos at catnook.com
On Jun 6, 2007, at 10:57 AM, Marcin Owsiany wrote:> Hi, > > We''re trying to follow the instructions at > http://reductivelabs.com/trac/puppet/wiki/UsingMongrel > (Just using a single puppetmaster/mongrel instance and plain > mod_proxy for now, > instead of balancer one) > > We got past the "Server is not a class" error by modifying mongrel.rb > > We also kind-of got past the: > > /opt/bin/puppetmasterd:293: undefined method `daemonize'' for > #<Mongrel::HttpServer:0xb78419b4> (NoMethodError) > > error which you get afterwards, by starting it in the foreground > for now (using > --debug or --verbose)I''ve added notes about both of these to the UsingMongrel page, and, of course, they''ll be fixed in the next release.> However I''m not sure how to get past this one:[...]> My guess is that before authorization, puppet somehow wants to > authenticate the > client using a certificate, but it''s not available, since SSL is > being handled > by Apache.It looks like mongrel requires namespaceauth.conf. Here''s what mine looks like: [fileserver] allow *.madstop.com [puppetmaster] allow *.madstop.com [resource] allow puppet.madstop.com [puppetrunner] allow culain.madstop.com [puppetbucket] allow *.madstop.com [puppetreports] allow *.madstop.com I''m not sure if I''ll fix this in the next release or not; I suppose I should. -- People are more violently opposed to fur than leather because it is safer to harrass rich women than motorcycle gangs. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Wed, Jun 06, 2007 at 01:26:38PM -0500, Luke Kanies wrote:> On Jun 6, 2007, at 10:57 AM, Marcin Owsiany wrote: > > > Hi, > > > > We''re trying to follow the instructions at > > http://reductivelabs.com/trac/puppet/wiki/UsingMongrel > > (Just using a single puppetmaster/mongrel instance and plain > > mod_proxy for now, > > instead of balancer one) > > > > We got past the "Server is not a class" error by modifying mongrel.rb > > > > We also kind-of got past the: > > > > /opt/bin/puppetmasterd:293: undefined method `daemonize'' for > > #<Mongrel::HttpServer:0xb78419b4> (NoMethodError) > > > > error which you get afterwards, by starting it in the foreground > > for now (using > > --debug or --verbose) > > I''ve added notes about both of these to the UsingMongrel page, and, > of course, they''ll be fixed in the next release. > > > However I''m not sure how to get past this one: > [...] > > My guess is that before authorization, puppet somehow wants to > > authenticate the > > client using a certificate, but it''s not available, since SSL is > > being handled > > by Apache. > > It looks like mongrel requires namespaceauth.conf. Here''s what mine > looks like: > > [fileserver] > allow *.madstop.com > > [puppetmaster] > allow *.madstop.com > > [resource] > allow puppet.madstop.com > > [puppetrunner] > allow culain.madstop.com > > [puppetbucket] > allow *.madstop.com > > [puppetreports] > allow *.madstop.comDoesn''t help :-/ -- Marcin Owsiany Web Systems Integrator - Guardian Unlimited ------------------------------------------------------------------ The Guardian Public Services Awards 2007, in partnership with Hays Public Services, recognise and reward outstanding performance from public, private and voluntary sector teams. To find out more and nominate a deserving team or individual, visit http://society.guardian.co.uk/publicservicesawards ------------------------------------------------------------------ Visit Guardian Unlimited - the UK''s most popular newspaper website http://guardian.co.uk http://observer.co.uk ------------------------------------------------------------------ The Newspaper Marketing Agency Opening Up Newspapers http://www.nmauk.co.uk ------------------------------------------------------------------ This e-mail and all attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender and delete the e-mail and all attachments immediately. Do not disclose the contents to another person. You may not use the information for any purpose, or store, or copy, it in any way. Guardian News & Media Limited is not liable for any computer viruses or other material transmitted with or as part of this e-mail. You should employ virus checking software. Guardian News & Media Limited A member of Guardian Media Group PLC Registered Office Number 1 Scott Place, Manchester M3 3GG Registered in England Number 908396
On Jun 7, 2007, at 3:31 AM, Marcin Owsiany wrote:> Doesn''t help :-/Can you verify that all of the certs are set up correctly? I realize now that you were getting errors about an unauthenticated client, which means that the certs are not correctly matching. -- Health is merely the slowest possible rate at which one can die. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Thu, Jun 07, 2007 at 10:39:14AM -0500, Luke Kanies wrote:> On Jun 7, 2007, at 3:31 AM, Marcin Owsiany wrote: > > > Doesn''t help :-/ > > Can you verify that all of the certs are set up correctly?Yes. Moreover, I verified that apache does drop the connection if it cannot verify the client cert.> I realize now that you were getting errors about an unauthenticated > client, which means that the certs are not correctly matching.I sniffed the traffic between apache and mongrel, and there is no certificate information being sent. Neither in the headers, nor in the request body. I read mod_ssl documentation and the only thing close to what we might need seems to be: SSLOptions +ExportCertData +StdEnvVars However this does not have any effect on the apache-mongrel traffic. I suspect that these options only cause the data to be passed to CGI/SSI, but don''t make it across mod_proxy connections. I guess it would help if someone with a working puppet/mongrel setup could sniff their traffic and let us know what exacly is being sent, so we can google for how to enable it in our setup. The way I''m doing it is: tcpdump -s 0 -w puppet.dump -i lo port 8100 Where 8100 is the port mongrel is listening on. Then I run puppetd, which makes a request for the config but fails. Then CTRL+C the tcpdump, scp the puppet.dump to my desktop, and open it with: ethereal puppet.dump or wireshark puppet.dump (it got renamed sometime ago) I select the fourth packet (just after the SYN/SYN+ACK/ACK handshake), right click on "Data" payload, select "Decode as". Then in "Transport" tab I choose "TCP destination 8100 as HTTP". Then it parses the payload and gives a nice clickable tree to inspect. -- Marcin Owsiany Web Systems Integrator - Guardian Unlimited ------------------------------------------------------------------ The Guardian Public Services Awards 2007, in partnership with Hays Public Services, recognise and reward outstanding performance from public, private and voluntary sector teams. To find out more and nominate a deserving team or individual, visit http://society.guardian.co.uk/publicservicesawards ------------------------------------------------------------------ Visit Guardian Unlimited - the UK''s most popular newspaper website http://guardian.co.uk http://observer.co.uk ------------------------------------------------------------------ The Newspaper Marketing Agency Opening Up Newspapers http://www.nmauk.co.uk ------------------------------------------------------------------ This e-mail and all attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender and delete the e-mail and all attachments immediately. Do not disclose the contents to another person. You may not use the information for any purpose, or store, or copy, it in any way. Guardian News & Media Limited is not liable for any computer viruses or other material transmitted with or as part of this e-mail. You should employ virus checking software. Guardian News & Media Limited A member of Guardian Media Group PLC Registered Office Number 1 Scott Place, Manchester M3 3GG Registered in England Number 908396
On Fri, Jun 08, 2007 at 11:26:03AM +0100, Marcin Owsiany wrote:> I guess it would help if someone with a working puppet/mongrel setup > could sniff their traffic and let us know what exacly is being sent, so > we can google for how to enable it in our setup.I had a look at the dump I received from Benjamin, and the most notable difference from my dump is the presence of "X-Client-DN: /CN=hostname" header. However my cunning plan to google for that failed miserably, returning no clues. I have no idea how you make apache pass that header to mongrel. -- Marcin Owsiany Web Systems Integrator - Guardian Unlimited ------------------------------------------------------------------ The Guardian Public Services Awards 2007, in partnership with Hays Public Services, recognise and reward outstanding performance from public, private and voluntary sector teams. To find out more and nominate a deserving team or individual, visit http://society.guardian.co.uk/publicservicesawards ------------------------------------------------------------------ Visit Guardian Unlimited - the UK''s most popular newspaper website http://guardian.co.uk http://observer.co.uk ------------------------------------------------------------------ The Newspaper Marketing Agency Opening Up Newspapers http://www.nmauk.co.uk ------------------------------------------------------------------ This e-mail and all attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender and delete the e-mail and all attachments immediately. Do not disclose the contents to another person. You may not use the information for any purpose, or store, or copy, it in any way. Guardian News & Media Limited is not liable for any computer viruses or other material transmitted with or as part of this e-mail. You should employ virus checking software. Guardian News & Media Limited A member of Guardian Media Group PLC Registered Office Number 1 Scott Place, Manchester M3 3GG Registered in England Number 908396
On Jun 11, 2007, at 4:04 AM, Marcin Owsiany wrote:> I had a look at the dump I received from Benjamin, and the most > notable > difference from my dump is the presence of "X-Client-DN: / > CN=hostname" header. > > However my cunning plan to google for that failed miserably, returning > no clues. > > I have no idea how you make apache pass that header to mongrel.I''m as confused as you are about this, and we''re trying to figure it out. I expect I found this delving through the source of webrick or something, but it looks like I''ll have to re-delve to figure out what''s going on. -- ''Tis better to be silent and be thought a fool, than to speak and remove all doubt. --Abraham Lincoln --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Jun 11, 2007, at 4:04 AM, Marcin Owsiany wrote:> I had a look at the dump I received from Benjamin, and the most > notable > difference from my dump is the presence of "X-Client-DN: / > CN=hostname" header. > > However my cunning plan to google for that failed miserably, returning > no clues. > > I have no idea how you make apache pass that header to mongrel.What Apache modules do you have loaded? Here''s what I have on my functional system: luke@culain(0) $ ls -al mods-enabled/ total 85 drwxr-xr-x 2 luke luke 904 Feb 28 19:02 . drwxr-xr-x 14 luke luke 432 Jun 7 11:15 .. -rw-r--r-- 1 luke luke 66 Feb 28 14:53 actions.load -rw-r--r-- 1 luke luke 62 Feb 28 14:53 alias.load -rw-r--r-- 1 luke luke 72 Feb 28 14:53 auth_basic.load -rw-r--r-- 1 luke luke 74 Feb 28 14:53 auth_digest.load -rw-r--r-- 1 luke luke 72 Feb 28 14:53 authn_file.load -rw-r--r-- 1 luke luke 78 Feb 28 14:53 authz_default.load -rw-r--r-- 1 luke luke 82 Feb 28 14:53 authz_groupfile.load -rw-r--r-- 1 luke luke 72 Feb 28 14:53 authz_host.load -rw-r--r-- 1 luke luke 72 Feb 28 14:53 authz_user.load -rw-r--r-- 1 luke luke 70 Feb 28 14:53 autoindex.load -rw-r--r-- 1 luke luke 58 Feb 28 14:53 cgi.load -rw-r--r-- 1 luke luke 112 Feb 28 14:53 dir.conf -rw-r--r-- 1 luke luke 58 Feb 28 14:53 dir.load -rw-r--r-- 1 luke luke 58 Feb 28 14:53 env.load lrwxrwxrwx 1 luke luke 40 Feb 28 19:02 headers.load -> /etc/apache2/ mods-available/headers.load -rw-r--r-- 1 luke luke 66 Feb 28 14:53 include.load -rw-r--r-- 1 luke luke 60 Feb 28 14:53 mime.load -rw-r--r-- 1 luke luke 74 Feb 28 14:53 negotiation.load lrwxrwxrwx 1 root root 38 Feb 28 14:51 proxy.conf -> /etc/apache2/ mods-available/proxy.conf lrwxrwxrwx 1 root root 38 Feb 28 14:51 proxy.load -> /etc/apache2/ mods-available/proxy.load lrwxrwxrwx 1 root root 47 Feb 28 14:51 proxy_balancer.load -> /etc/ apache2/mods-available/proxy_balancer.load lrwxrwxrwx 1 root root 46 Feb 28 19:01 proxy_connect.load -> /etc/ apache2/mods-available/proxy_connect.load lrwxrwxrwx 1 luke luke 43 Feb 28 15:19 proxy_http.load -> /etc/ apache2/mods-available/proxy_http.load -rw-r--r-- 1 luke luke 66 Feb 28 14:53 rewrite.load -rw-r--r-- 1 luke luke 68 Feb 28 14:53 setenvif.load -rw-r--r-- 1 luke luke 58 Feb 28 14:53 ssl.load -rw-r--r-- 1 luke luke 64 Feb 28 14:53 status.load [~/tmp/apache2] luke@culain(0) $ -- I object to doing things that computers can do. --Olin Shivers --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Jun 11, 2007, at 4:04 AM, Marcin Owsiany wrote:> I had a look at the dump I received from Benjamin, and the most > notable > difference from my dump is the presence of "X-Client-DN: / > CN=hostname" header. > > However my cunning plan to google for that failed miserably, returning > no clues. > > I have no idea how you make apache pass that header to mongrel.It should come as no surprise to anyone, but I''m apparently retarded. I''ve been sending you the wrong config -- apparently I modified my main apache.conf file, rather than using the config file I posted. Here''s what''s in this part of the config: SSLEngine on SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLCertificateFile /etc/puppet/ssl/certs/puppet.madstop.com.pem SSLCertificateKeyFile /etc/puppet/ssl/private_keys/ puppet.madstop.com.pem SSLCertificateChainFile /etc/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /etc/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /etc/puppet/ssl/ca/ca_crl.pem SSLVerifyClient require SSLVerifyDepth 1 ##SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire SSLOptions +StdEnvVars RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e <Location /> SetHandler balancer-manager Order allow,deny Allow from all </Location> I''ll do more experimentation and see if I really need to use that custom header or if I can just use the main headers. -- The only really good place to buy lumber is at a store where the lumber has already been cut and attached together in the form of furniture, finished, and put inside boxes. --Dave Barry --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com