Puppet users - Sep 2009 - Error 403 on SERVER: Forbidden request:

I''m having this problem :

When a client vpsXXX  tries to get the catalog it returns this error:

vpsXXX:~# puppetd -tv
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won''t be verified in this SSL session
err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to /
catalog/vpsXXX.domain.XX [find] at line 0

In puppetmaster I see this error;

Sep 11 11:05:07 vps200 puppetmasterd[3705]: Could not resolve
7.12.44.225: no name for 7.12.44.225
Sep 11 11:05:07 vps200 puppetmasterd[3742]: Could not resolve
7.12.44.225: no name for 7.12.44.225
Sep 11 11:05:07 vps200 puppetmasterd[3742]: (access[/]) defaulting to
no access for 7.12.44.225
Sep 11 11:05:07 vps200 puppetmasterd[3742]: Denying access: Forbidden
request: 7.12.44.225(7.12.44.225) access to /catalog/vpsXXX.domain.XX
[find] at line 0
Sep 11 11:05:07 vps200 puppetmasterd[3742]: Forbidden request:
7.12.44.225(7.12.44.225) access to /catalog/vpsXXX.domain.XX [find] at
line 0

Where 7.12.44.225 and vpsXXX.domain.XX are the puppet client and
VPS200 is puppetmaster.

Others puppet clients are working pretty well.

Any ideas?

regards,
Israel.


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, 2009-09-11 at 08:12 -0700, ELTigre wrote:
> I''m having this problem :
> 
> When a client vpsXXX  tries to get the catalog it returns this error:
> 
> vpsXXX:~# puppetd -tv
> warning: peer certificate won''t be verified in this SSL session
> info: Caching certificate for ca
> warning: peer certificate won''t be verified in this SSL session
I''m afraid this is the root cause of your issues ^
> err: Could not retrieve catalog from remote server: Error 403 on
> SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to /
> catalog/vpsXXX.domain.XX [find] at line 0
Yes, your client is trying to fetch a configuration but it is not
authenticated, so the server denies the access.

Fixing this client certificate should fix the issue.
-- 
Brice Figureau
My Blog: http://www.masterzen.fr/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Sep 11, 10:58 am, Brice Figureau <brice-pup...@daysofwonder.com>
wrote:
> On Fri, 2009-09-11 at 08:12 -0700, ELTigre wrote:
> > I''m having this problem :
>
> > When a client vpsXXX  tries to get the catalog it returns this error:
>
> > vpsXXX:~# puppetd -tv
> > warning: peer certificate won''t be verified in this SSL
session
> > info: Caching certificate for ca
> > warning: peer certificate won''t be verified in this SSL
session
>
> I''m afraid this is the root cause of your issues ^
>
> > err: Could not retrieve catalog from remote server: Error 403 on
> > SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to /
> > catalog/vpsXXX.domain.XX [find] at line 0
>
> Yes, your client is trying to fetch a configuration but it is not
> authenticated, so the server denies the access.
Hi Brice,
I run puppetmasterd running this command:
puppetmasterd --debug --verbose --no-daemonize

and when the client connect this is the log from puppetmaster:

err: Could not resolve 67.212.94.125: no name for 7.112.94.125
info: Inserting default ''~ ^/catalog/([^/]+)$''(auth) acl
because /etc/
puppet/auth.conf doesn''t exist
info: Inserting default ''/file''(non-auth) acl because
/etc/puppet/
auth.conf doesn''t exist
info: Inserting default
''/certificate_revocation_list/ca''(auth) acl
because /etc/puppet/auth.conf doesn''t exist
info: Inserting default ''/report''(auth) acl because
/etc/puppet/
auth.conf doesn''t exist
info: Inserting default ''/certificate/ca''(non-auth) acl
because /etc/
puppet/auth.conf doesn''t exist
info: Inserting default ''/certificate/''(non-auth) acl because
/etc/
puppet/auth.conf doesn''t exist
info: Inserting default ''/certificate_request''(non-auth) acl
because /
etc/puppet/auth.conf doesn''t exist
err: Could not resolve 7.212.94.125: no name for 7.112.94.125
info: access[/]: defaulting to no access for 7.212.94.125
warning: Denying access: Forbidden request: 7.212.94.125(7.212.94.125)
access to /catalog/vpsXXX.domain.XX [find] at line 0
err: Forbidden request: 7.212.94.125(7.212.94.125) access to /catalog/
vpsXXX.domain.XX [find] at line 0

Before puppet upgrade from 0.24.8 to 0.25 I didn''t use auth.conf. I
don''t know why is asking me this now.

thanks a lot.
regards,
Israel.
>
> Fixing this client certificate should fix the issue.
> --
> Brice Figureau
> My Blog:http://www.masterzen.fr/
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Fri, Sep 11, 2009 at 05:58:11PM +0200, Brice Figureau
wrote:
> 
> On Fri, 2009-09-11 at 08:12 -0700, ELTigre wrote:
> > I''m having this problem :
> > 
> > When a client vpsXXX  tries to get the catalog it returns this error:
> > 
> > vpsXXX:~# puppetd -tv
> > warning: peer certificate won''t be verified in this SSL
session
> > info: Caching certificate for ca
> > warning: peer certificate won''t be verified in this SSL
session
> 
> I''m afraid this is the root cause of your issues ^
> 
> > err: Could not retrieve catalog from remote server: Error 403 on
> > SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to /
> > catalog/vpsXXX.domain.XX [find] at line 0
> 
> Yes, your client is trying to fetch a configuration but it is not
> authenticated, so the server denies the access.
> 
> Fixing this client certificate should fix the issue.
Well, then these is another bug that is causing this.  Because I''ve
cleaned out the client cert using puppetca, reinstalled puppet on the
client side, verified that the key is getting signed, and I have the
same problem.  And this only affects some clients - only ones using
0.25.  The ones still on 0.24.8 are great, as are some of the ones on
0.25.  So how should I "fix" the client certificate?

David

On 11/09/09 19:17, David Bishop wrote:
> On Fri, Sep 11, 2009 at 05:58:11PM +0200, Brice Figureau wrote:
>> On Fri, 2009-09-11 at 08:12 -0700, ELTigre wrote:
>>> I''m having this problem :
>>>
>>> When a client vpsXXX  tries to get the catalog it returns this
error:
>>>
>>> vpsXXX:~# puppetd -tv
>>> warning: peer certificate won''t be verified in this SSL
session
>>> info: Caching certificate for ca
>>> warning: peer certificate won''t be verified in this SSL
session
>> I''m afraid this is the root cause of your issues ^
>>
>>> err: Could not retrieve catalog from remote server: Error 403 on
>>> SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to /
>>> catalog/vpsXXX.domain.XX [find] at line 0
>> Yes, your client is trying to fetch a configuration but it is not
>> authenticated, so the server denies the access.
>>
>> Fixing this client certificate should fix the issue.
> 
> Well, then these is another bug that is causing this.  Because
I''ve
> cleaned out the client cert using puppetca, reinstalled puppet on the
> client side, verified that the key is getting signed, and I have the
> same problem.  
I don''t say it''s not a bug, I was just decoding the error
message. The
error message says that access to the configuration is denied _because_ 
the connection is not authenticated. The real question is why this 
connection is not authenticated.
The warning outlined above seemed suspect in this respect.

Can you post puppetd --test --debug and puppetmasterd --debug --trace 
logs to see if we could get more information.
> And this only affects some clients - only ones using
> 0.25.  The ones still on 0.24.8 are great, as are some of the ones on
> 0.25.  So how should I "fix" the client certificate?
Do you use webrick, apache+mongrel or something else?
Some of the proxy setup use a different port for some aspect of Puppet 
communication (like --ca_port). I''m wondering if that particular client
might not use the wrong port for the catalog access.
-- 
Brice Figureau
My Blog: http://www.masterzen.fr/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 11/09/09 18:46, ELTigre wrote:
> 
> On Sep 11, 10:58 am, Brice Figureau <brice-pup...@daysofwonder.com>
> wrote:
>> On Fri, 2009-09-11 at 08:12 -0700, ELTigre wrote:
>>> I''m having this problem :
>>> When a client vpsXXX  tries to get the catalog it returns this
error:
>>> vpsXXX:~# puppetd -tv
>>> warning: peer certificate won''t be verified in this SSL
session
>>> info: Caching certificate for ca
>>> warning: peer certificate won''t be verified in this SSL
session
>> I''m afraid this is the root cause of your issues ^
>>
>>> err: Could not retrieve catalog from remote server: Error 403 on
>>> SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to /
>>> catalog/vpsXXX.domain.XX [find] at line 0
>> Yes, your client is trying to fetch a configuration but it is not
>> authenticated, so the server denies the access.
> Hi Brice,
> I run puppetmasterd running this command:
> puppetmasterd --debug --verbose --no-daemonize
> 
> and when the client connect this is the log from puppetmaster:
> 
> err: Could not resolve 67.212.94.125: no name for 7.112.94.125
> info: Inserting default ''~ ^/catalog/([^/]+)$''(auth) acl
because /etc/
> puppet/auth.conf doesn''t exist
> info: Inserting default ''/file''(non-auth) acl because
/etc/puppet/
> auth.conf doesn''t exist
> info: Inserting default
''/certificate_revocation_list/ca''(auth) acl
> because /etc/puppet/auth.conf doesn''t exist
> info: Inserting default ''/report''(auth) acl because
/etc/puppet/
> auth.conf doesn''t exist
> info: Inserting default ''/certificate/ca''(non-auth) acl
because /etc/
> puppet/auth.conf doesn''t exist
> info: Inserting default ''/certificate/''(non-auth) acl
because /etc/
> puppet/auth.conf doesn''t exist
> info: Inserting default ''/certificate_request''(non-auth)
acl because /
> etc/puppet/auth.conf doesn''t exist
> err: Could not resolve 7.212.94.125: no name for 7.112.94.125
> info: access[/]: defaulting to no access for 7.212.94.125
> warning: Denying access: Forbidden request: 7.212.94.125(7.212.94.125)
> access to /catalog/vpsXXX.domain.XX [find] at line 0
> err: Forbidden request: 7.212.94.125(7.212.94.125) access to /catalog/
> vpsXXX.domain.XX [find] at line 0
> 
> Before puppet upgrade from 0.24.8 to 0.25 I didn''t use auth.conf.
I
> don''t know why is asking me this now.
> 
It''s not asking for an auth.conf, it just says that you don''t
have one
so it uses default sane rules. It is possible that on your environment 
those rules are not sane. If you want to know more about auth.conf 
please read the 0.25 release notes.

So same question as the one I sent to David Bishop, how do you run your 
master? (ie with mongrel, webrick, passenger?)
It might be possible something on your environment mistakenly let puppet 
think your client is not authenticated where it should.
-- 
Brice Figureau
My Blog: http://www.masterzen.fr/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 11/09/09 20:27, Andrew Shafer wrote:
> This looks like the same problem:
> http://projects.reductivelabs.com/issues/2619
> 
> Any thing you might add to the issue would be appreciated.
Yes, this is #2619, which is to me essentially the same issue as in #2617:
http://projects.reductivelabs.com/issues/2617

And all comes down to the fact the client doesn''t have 
$ssldir/certs/ca.pem, which in turns comes from the fact that the master 
   doesn''t run on top of a 0.25 generated $ssldir.
-- 
Brice Figureau
My Blog: http://www.masterzen.fr/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---