I''m having this problem : When a client vpsXXX tries to get the catalog it returns this error: vpsXXX:~# puppetd -tv warning: peer certificate won''t be verified in this SSL session info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to / catalog/vpsXXX.domain.XX [find] at line 0 In puppetmaster I see this error; Sep 11 11:05:07 vps200 puppetmasterd[3705]: Could not resolve 7.12.44.225: no name for 7.12.44.225 Sep 11 11:05:07 vps200 puppetmasterd[3742]: Could not resolve 7.12.44.225: no name for 7.12.44.225 Sep 11 11:05:07 vps200 puppetmasterd[3742]: (access[/]) defaulting to no access for 7.12.44.225 Sep 11 11:05:07 vps200 puppetmasterd[3742]: Denying access: Forbidden request: 7.12.44.225(7.12.44.225) access to /catalog/vpsXXX.domain.XX [find] at line 0 Sep 11 11:05:07 vps200 puppetmasterd[3742]: Forbidden request: 7.12.44.225(7.12.44.225) access to /catalog/vpsXXX.domain.XX [find] at line 0 Where 7.12.44.225 and vpsXXX.domain.XX are the puppet client and VPS200 is puppetmaster. Others puppet clients are working pretty well. Any ideas? regards, Israel. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Brice Figureau
2009-Sep-11 15:58 UTC
[Puppet Users] Re: Error 403 on SERVER: Forbidden request:
On Fri, 2009-09-11 at 08:12 -0700, ELTigre wrote:> I''m having this problem : > > When a client vpsXXX tries to get the catalog it returns this error: > > vpsXXX:~# puppetd -tv > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won''t be verified in this SSL sessionI''m afraid this is the root cause of your issues ^> err: Could not retrieve catalog from remote server: Error 403 on > SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to / > catalog/vpsXXX.domain.XX [find] at line 0Yes, your client is trying to fetch a configuration but it is not authenticated, so the server denies the access. Fixing this client certificate should fix the issue. -- Brice Figureau My Blog: http://www.masterzen.fr/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Sep 11, 10:58 am, Brice Figureau <brice-pup...@daysofwonder.com> wrote:> On Fri, 2009-09-11 at 08:12 -0700, ELTigre wrote: > > I''m having this problem : > > > When a client vpsXXX tries to get the catalog it returns this error: > > > vpsXXX:~# puppetd -tv > > warning: peer certificate won''t be verified in this SSL session > > info: Caching certificate for ca > > warning: peer certificate won''t be verified in this SSL session > > I''m afraid this is the root cause of your issues ^ > > > err: Could not retrieve catalog from remote server: Error 403 on > > SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to / > > catalog/vpsXXX.domain.XX [find] at line 0 > > Yes, your client is trying to fetch a configuration but it is not > authenticated, so the server denies the access.Hi Brice, I run puppetmasterd running this command: puppetmasterd --debug --verbose --no-daemonize and when the client connect this is the log from puppetmaster: err: Could not resolve 67.212.94.125: no name for 7.112.94.125 info: Inserting default ''~ ^/catalog/([^/]+)$''(auth) acl because /etc/ puppet/auth.conf doesn''t exist info: Inserting default ''/file''(non-auth) acl because /etc/puppet/ auth.conf doesn''t exist info: Inserting default ''/certificate_revocation_list/ca''(auth) acl because /etc/puppet/auth.conf doesn''t exist info: Inserting default ''/report''(auth) acl because /etc/puppet/ auth.conf doesn''t exist info: Inserting default ''/certificate/ca''(non-auth) acl because /etc/ puppet/auth.conf doesn''t exist info: Inserting default ''/certificate/''(non-auth) acl because /etc/ puppet/auth.conf doesn''t exist info: Inserting default ''/certificate_request''(non-auth) acl because / etc/puppet/auth.conf doesn''t exist err: Could not resolve 7.212.94.125: no name for 7.112.94.125 info: access[/]: defaulting to no access for 7.212.94.125 warning: Denying access: Forbidden request: 7.212.94.125(7.212.94.125) access to /catalog/vpsXXX.domain.XX [find] at line 0 err: Forbidden request: 7.212.94.125(7.212.94.125) access to /catalog/ vpsXXX.domain.XX [find] at line 0 Before puppet upgrade from 0.24.8 to 0.25 I didn''t use auth.conf. I don''t know why is asking me this now. thanks a lot. regards, Israel.> > Fixing this client certificate should fix the issue. > -- > Brice Figureau > My Blog:http://www.masterzen.fr/--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
David Bishop
2009-Sep-11 17:17 UTC
[Puppet Users] Re: Error 403 on SERVER: Forbidden request:
On Fri, Sep 11, 2009 at 05:58:11PM +0200, Brice Figureau wrote:> > On Fri, 2009-09-11 at 08:12 -0700, ELTigre wrote: > > I''m having this problem : > > > > When a client vpsXXX tries to get the catalog it returns this error: > > > > vpsXXX:~# puppetd -tv > > warning: peer certificate won''t be verified in this SSL session > > info: Caching certificate for ca > > warning: peer certificate won''t be verified in this SSL session > > I''m afraid this is the root cause of your issues ^ > > > err: Could not retrieve catalog from remote server: Error 403 on > > SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to / > > catalog/vpsXXX.domain.XX [find] at line 0 > > Yes, your client is trying to fetch a configuration but it is not > authenticated, so the server denies the access. > > Fixing this client certificate should fix the issue.Well, then these is another bug that is causing this. Because I''ve cleaned out the client cert using puppetca, reinstalled puppet on the client side, verified that the key is getting signed, and I have the same problem. And this only affects some clients - only ones using 0.25. The ones still on 0.24.8 are great, as are some of the ones on 0.25. So how should I "fix" the client certificate? David
Brice Figureau
2009-Sep-11 17:57 UTC
[Puppet Users] Re: Error 403 on SERVER: Forbidden request:
On 11/09/09 19:17, David Bishop wrote:> On Fri, Sep 11, 2009 at 05:58:11PM +0200, Brice Figureau wrote: >> On Fri, 2009-09-11 at 08:12 -0700, ELTigre wrote: >>> I''m having this problem : >>> >>> When a client vpsXXX tries to get the catalog it returns this error: >>> >>> vpsXXX:~# puppetd -tv >>> warning: peer certificate won''t be verified in this SSL session >>> info: Caching certificate for ca >>> warning: peer certificate won''t be verified in this SSL session >> I''m afraid this is the root cause of your issues ^ >> >>> err: Could not retrieve catalog from remote server: Error 403 on >>> SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to / >>> catalog/vpsXXX.domain.XX [find] at line 0 >> Yes, your client is trying to fetch a configuration but it is not >> authenticated, so the server denies the access. >> >> Fixing this client certificate should fix the issue. > > Well, then these is another bug that is causing this. Because I''ve > cleaned out the client cert using puppetca, reinstalled puppet on the > client side, verified that the key is getting signed, and I have the > same problem.I don''t say it''s not a bug, I was just decoding the error message. The error message says that access to the configuration is denied _because_ the connection is not authenticated. The real question is why this connection is not authenticated. The warning outlined above seemed suspect in this respect. Can you post puppetd --test --debug and puppetmasterd --debug --trace logs to see if we could get more information.> And this only affects some clients - only ones using > 0.25. The ones still on 0.24.8 are great, as are some of the ones on > 0.25. So how should I "fix" the client certificate?Do you use webrick, apache+mongrel or something else? Some of the proxy setup use a different port for some aspect of Puppet communication (like --ca_port). I''m wondering if that particular client might not use the wrong port for the catalog access. -- Brice Figureau My Blog: http://www.masterzen.fr/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Brice Figureau
2009-Sep-11 18:10 UTC
[Puppet Users] Re: Error 403 on SERVER: Forbidden request:
On 11/09/09 18:46, ELTigre wrote:> > On Sep 11, 10:58 am, Brice Figureau <brice-pup...@daysofwonder.com> > wrote: >> On Fri, 2009-09-11 at 08:12 -0700, ELTigre wrote: >>> I''m having this problem : >>> When a client vpsXXX tries to get the catalog it returns this error: >>> vpsXXX:~# puppetd -tv >>> warning: peer certificate won''t be verified in this SSL session >>> info: Caching certificate for ca >>> warning: peer certificate won''t be verified in this SSL session >> I''m afraid this is the root cause of your issues ^ >> >>> err: Could not retrieve catalog from remote server: Error 403 on >>> SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to / >>> catalog/vpsXXX.domain.XX [find] at line 0 >> Yes, your client is trying to fetch a configuration but it is not >> authenticated, so the server denies the access. > Hi Brice, > I run puppetmasterd running this command: > puppetmasterd --debug --verbose --no-daemonize > > and when the client connect this is the log from puppetmaster: > > err: Could not resolve 67.212.94.125: no name for 7.112.94.125 > info: Inserting default ''~ ^/catalog/([^/]+)$''(auth) acl because /etc/ > puppet/auth.conf doesn''t exist > info: Inserting default ''/file''(non-auth) acl because /etc/puppet/ > auth.conf doesn''t exist > info: Inserting default ''/certificate_revocation_list/ca''(auth) acl > because /etc/puppet/auth.conf doesn''t exist > info: Inserting default ''/report''(auth) acl because /etc/puppet/ > auth.conf doesn''t exist > info: Inserting default ''/certificate/ca''(non-auth) acl because /etc/ > puppet/auth.conf doesn''t exist > info: Inserting default ''/certificate/''(non-auth) acl because /etc/ > puppet/auth.conf doesn''t exist > info: Inserting default ''/certificate_request''(non-auth) acl because / > etc/puppet/auth.conf doesn''t exist > err: Could not resolve 7.212.94.125: no name for 7.112.94.125 > info: access[/]: defaulting to no access for 7.212.94.125 > warning: Denying access: Forbidden request: 7.212.94.125(7.212.94.125) > access to /catalog/vpsXXX.domain.XX [find] at line 0 > err: Forbidden request: 7.212.94.125(7.212.94.125) access to /catalog/ > vpsXXX.domain.XX [find] at line 0 > > Before puppet upgrade from 0.24.8 to 0.25 I didn''t use auth.conf. I > don''t know why is asking me this now. >It''s not asking for an auth.conf, it just says that you don''t have one so it uses default sane rules. It is possible that on your environment those rules are not sane. If you want to know more about auth.conf please read the 0.25 release notes. So same question as the one I sent to David Bishop, how do you run your master? (ie with mongrel, webrick, passenger?) It might be possible something on your environment mistakenly let puppet think your client is not authenticated where it should. -- Brice Figureau My Blog: http://www.masterzen.fr/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Brice Figureau
2009-Sep-12 10:48 UTC
[Puppet Users] Re: Error 403 on SERVER: Forbidden request:
On 11/09/09 20:27, Andrew Shafer wrote:> This looks like the same problem: > http://projects.reductivelabs.com/issues/2619 > > Any thing you might add to the issue would be appreciated.Yes, this is #2619, which is to me essentially the same issue as in #2617: http://projects.reductivelabs.com/issues/2617 And all comes down to the fact the client doesn''t have $ssldir/certs/ca.pem, which in turns comes from the fact that the master doesn''t run on top of a 0.25 generated $ssldir. -- Brice Figureau My Blog: http://www.masterzen.fr/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---