Puppet users - Sep 2009 - authentication issue with passenger

Hello,

When I run puppetmasterd (0.25.1.rc1) with webrick, it works fine and  
my test client and connect and do everything it needs to do.

When I run pappetmasterd with passenger (2.2.2) I see the following  
error in the log:

Thu Sep 24 10:09:43 puppet-dev puppetmasterd[732] <Notice>: Denying  
unauthenticated client marcusmini-a.lanl.gov(<ip removed>) access to  
fileserver.list

there are a number of related errors all seemingly stemming from this  
authentication error.

Any ideas? Any more info that could help?

---
Thanks,

Allan Marcus
505-667-5666




--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Did you happen to turn on Apache''s Cert verification?

If so, you''ll need to set up a puppet CA on a different port.

Trevor

On Thu, Sep 24, 2009 at 12:13, Allan Marcus <allan@lanl.gov>
wrote:
>
> Hello,
>
> When I run puppetmasterd (0.25.1.rc1) with webrick, it works fine and
> my test client and connect and do everything it needs to do.
>
> When I run pappetmasterd with passenger (2.2.2) I see the following
> error in the log:
>
> Thu Sep 24 10:09:43 puppet-dev puppetmasterd[732] <Notice>: Denying
> unauthenticated client marcusmini-a.lanl.gov(<ip removed>) access to
> fileserver.list
>
> there are a number of related errors all seemingly stemming from this
> authentication error.
>
> Any ideas? Any more info that could help?
>
> ---
> Thanks,
>
> Allan Marcus
> 505-667-5666
>
>
>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Umm, I don''t think that is the issue. I''m pretty sure this is
something puppet server related. the next line reads:

Thu Sep 24 12:11:31 puppet-dev puppetmasterd[1196] <Notice>: Denying  
unauthenticated client marcusmini-a.lanl.gov(128.165.129.167) access  
to fileserver.list
Thu Sep 24 12:11:31 puppet-dev puppetmasterd[1196] <Error>: Puppet  
Server (Rack): Internal Server Error: Unhandled Exception: "Host  
marcusmini-a.lanl.gov(128.165.129.167) not authorized to call  
fileserver.list"
Thu Sep 24 12:11:31 puppet-dev puppetmasterd[1196] <Notice>: Denying  
unauthenticated client marcusmini-a.lanl.gov(128.165.129.167) access  
to fileserver.describe
Thu Sep 24 12:11:31 puppet-dev puppetmasterd[1196] <Error>: Puppet  
Server (Rack): Internal Server Error: Unhandled Exception: "Host  
marcusmini-a.lanl.gov(128.165.129.167) not authorized to call  
fileserver.describe"
Thu Sep 24 12:11:33 puppet-dev puppetmasterd[1196] <Notice>: Denying  
unauthenticated client marcusmini-a.lanl.gov(128.165.129.167) access  
to puppetmaster.getconfig
Thu Sep 24 12:11:33 puppet-dev puppetmasterd[1196] <Error>: Puppet  
Server (Rack): Internal Server Error: Unhandled Exception: "Host  
marcusmini-a.lanl.gov(128.165.129.167) not authorized to call  
puppetmaster.getconfig"

Where do I set up that machines can access these files?
Why is this different using passenger than webrick?



---
Thanks,

Allan Marcus
505-667-5666



On Sep 24, 2009, at 11:14 AM, Trevor Vaughan wrote:
>
> Did you happen to turn on Apache''s Cert verification?
>
> If so, you''ll need to set up a puppet CA on a different port.
>
> Trevor
>
> On Thu, Sep 24, 2009 at 12:13, Allan Marcus <allan@lanl.gov> wrote:
>>
>> Hello,
>>
>> When I run puppetmasterd (0.25.1.rc1) with webrick, it works fine and
>> my test client and connect and do everything it needs to do.
>>
>> When I run pappetmasterd with passenger (2.2.2) I see the following
>> error in the log:
>>
>> Thu Sep 24 10:09:43 puppet-dev puppetmasterd[732] <Notice>:
Denying
>> unauthenticated client marcusmini-a.lanl.gov(<ip removed>) access
to
>> fileserver.list
>>
>> there are a number of related errors all seemingly stemming from this
>> authentication error.
>>
>> Any ideas? Any more info that could help?
>>
>> ---
>> Thanks,
>>
>> Allan Marcus
>> 505-667-5666
>>
>>
>>
>>
>>>
>>
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Ug.

does anyone have any idea why my clients can connect just fine when  
using webrick but cannot when using passenger? this only happens with  
puppetmasterd 0.25.x. When the client tries to connect I see:

puppetmasterd[3485] <Notice>: Starting Puppet server version 0.25.1
puppetmasterd[3485] <Warning>: Denying access: Forbidden request:  
marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/facts \ 
[search\] at line 0
puppetmasterd[3485] <Error>: Forbidden request: marcusmini- 
a.lanl.gov(128.165.129.167) access to /file_metadata/facts \[search\]  
at line 0
puppetmasterd[3485] <Warning>: Denying access: Forbidden request:  
marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/facts \ 
[find\] at line 0
puppetmasterd[3485] <Error>: Forbidden request: marcusmini- 
a.lanl.gov(128.165.129.167) access to /file_metadata/facts \[find\] at  
line 0
puppetmasterd[3485] <Warning>: Denying access: Forbidden request:  
marcusmini-a.lanl.gov(128.165.129.167) access to /catalog/marcusmini- 
a.lanl.gov \[find\] at line 0
puppetmasterd[3485] <Error>: Forbidden request: marcusmini- 
a.lanl.gov(128.165.129.167) access to /catalog/marcusmini-a.lanl.gov \ 
[find\] at line 0
puppetmasterd[3485] <Warning>: Denying access: Forbidden request:  
marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/ 
dlanlbaseline/getDefsDate.sh \[find\] at line 0
puppetmasterd[3485] <Error>: Forbidden request: marcusmini- 
a.lanl.gov(128.165.129.167) access to /file_metadata/dlanlbaseline/ 
getDefsDate.sh \[find\] at line 0

If I use the sample auth.conf file and set
auth no
allow *
everything works, but I''m pretty sure that is not a good idea. Since  
it all works when using webrick and doesn''t work when using passenger,
could the issue be that passenger is not passing the clients certs to  
puppetmasterd, and therefore puppetmasterd is thinking the client in  
unauthenticated?


---
Thanks,

Allan Marcus
505-667-5666



On Sep 24, 2009, at 10:13 AM, Allan Marcus wrote:
>
> Hello,
>
> When I run puppetmasterd (0.25.1.rc1) with webrick, it works fine and
> my test client and connect and do everything it needs to do.
>
> When I run pappetmasterd with passenger (2.2.2) I see the following
> error in the log:
>
> Thu Sep 24 10:09:43 puppet-dev puppetmasterd[732] <Notice>: Denying
> unauthenticated client marcusmini-a.lanl.gov(<ip removed>) access to
> fileserver.list
>
> there are a number of related errors all seemingly stemming from this
> authentication error.
>
> Any ideas? Any more info that could help?
>
> ---
> Thanks,
>
> Allan Marcus
> 505-667-5666
>
>
>
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Allan Marcus wrote:
> Ug.
>
> does anyone have any idea why my clients can connect just fine when  
> using webrick but cannot when using passenger? this only happens with  
> puppetmasterd 0.25.x. When the client tries to connect I see:
>
> puppetmasterd[3485] <Notice>: Starting Puppet server version 0.25.1
> puppetmasterd[3485] <Warning>: Denying access: Forbidden request:  
> marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/facts \ 
> [search\] at line 0
> puppetmasterd[3485] <Error>: Forbidden request: marcusmini- 
> a.lanl.gov(128.165.129.167) access to /file_metadata/facts \[search\]  
> at line 0
> puppetmasterd[3485] <Warning>: Denying access: Forbidden request:  
> marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/facts \ 
> [find\] at line 0
> puppetmasterd[3485] <Error>: Forbidden request: marcusmini- 
> a.lanl.gov(128.165.129.167) access to /file_metadata/facts \[find\] at  
> line 0
> puppetmasterd[3485] <Warning>: Denying access: Forbidden request:  
> marcusmini-a.lanl.gov(128.165.129.167) access to /catalog/marcusmini- 
> a.lanl.gov \[find\] at line 0
> puppetmasterd[3485] <Error>: Forbidden request: marcusmini- 
> a.lanl.gov(128.165.129.167) access to /catalog/marcusmini-a.lanl.gov \ 
> [find\] at line 0
> puppetmasterd[3485] <Warning>: Denying access: Forbidden request:  
> marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/ 
> dlanlbaseline/getDefsDate.sh \[find\] at line 0
> puppetmasterd[3485] <Error>: Forbidden request: marcusmini- 
> a.lanl.gov(128.165.129.167) access to /file_metadata/dlanlbaseline/ 
> getDefsDate.sh \[find\] at line 0
>
> If I use the sample auth.conf file and set
> auth no
> allow *
> everything works, but I''m pretty sure that is not a good idea.
Since
> it all works when using webrick and doesn''t work when using
passenger,
> could the issue be that passenger is not passing the clients certs to  
> puppetmasterd, and therefore puppetmasterd is thinking the client in  
> unauthenticated?
>
>
> ---
> Thanks,
>
> Allan Marcus
> 505-667-5666
>
>
>
> On Sep 24, 2009, at 10:13 AM, Allan Marcus wrote:
>
>   
>> Hello,
>>
>> When I run puppetmasterd (0.25.1.rc1) with webrick, it works fine and
>> my test client and connect and do everything it needs to do.
>>
>> When I run pappetmasterd with passenger (2.2.2) I see the following
>> error in the log:
>>
>> Thu Sep 24 10:09:43 puppet-dev puppetmasterd[732] <Notice>:
Denying
>> unauthenticated client marcusmini-a.lanl.gov(<ip removed>) access
to
>> fileserver.list
>>
>> there are a number of related errors all seemingly stemming from this
>> authentication error.
>>
>> Any ideas? Any more info that could help?
>>
>> ---
>> Thanks,
>>
>> Allan Marcus
>> 505-667-5666
>>
>>
>>
>>
>>     
>
>
> >
>   
You might be running puppet master under a different user or the puppet 
master certificate changed because puppet thinks it has a different 
name. Other than that I have no ideea. :-?


Silviu

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

In both cases puppetmasterd is run as the puppet user, at least  
according to ps.

---
Thanks,

Allan Marcus
505-667-5666



On Sep 25, 2009, at 4:38 AM, Silviu Paragina wrote:
>
> Allan Marcus wrote:
>> Ug.
>>
>> does anyone have any idea why my clients can connect just fine when
>> using webrick but cannot when using passenger? this only happens with
>> puppetmasterd 0.25.x. When the client tries to connect I see:
>>
>> puppetmasterd[3485] <Notice>: Starting Puppet server version
0.25.1
>> puppetmasterd[3485] <Warning>: Denying access: Forbidden request:
>> marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/ 
>> facts \
>> [search\] at line 0
>> puppetmasterd[3485] <Error>: Forbidden request: marcusmini-
>> a.lanl.gov(128.165.129.167) access to /file_metadata/facts \[search\]
>> at line 0
>> puppetmasterd[3485] <Warning>: Denying access: Forbidden request:
>> marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/ 
>> facts \
>> [find\] at line 0
>> puppetmasterd[3485] <Error>: Forbidden request: marcusmini-
>> a.lanl.gov(128.165.129.167) access to /file_metadata/facts \[find\]  
>> at
>> line 0
>> puppetmasterd[3485] <Warning>: Denying access: Forbidden request:
>> marcusmini-a.lanl.gov(128.165.129.167) access to /catalog/marcusmini-
>> a.lanl.gov \[find\] at line 0
>> puppetmasterd[3485] <Error>: Forbidden request: marcusmini-
>> a.lanl.gov(128.165.129.167) access to /catalog/marcusmini- 
>> a.lanl.gov \
>> [find\] at line 0
>> puppetmasterd[3485] <Warning>: Denying access: Forbidden request:
>> marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/
>> dlanlbaseline/getDefsDate.sh \[find\] at line 0
>> puppetmasterd[3485] <Error>: Forbidden request: marcusmini-
>> a.lanl.gov(128.165.129.167) access to /file_metadata/dlanlbaseline/
>> getDefsDate.sh \[find\] at line 0
>>
>> If I use the sample auth.conf file and set
>> auth no
>> allow *
>> everything works, but I''m pretty sure that is not a good idea.
Since
>> it all works when using webrick and doesn''t work when using  
>> passenger,
>> could the issue be that passenger is not passing the clients certs to
>> puppetmasterd, and therefore puppetmasterd is thinking the client in
>> unauthenticated?
>>
>>
>> ---
>> Thanks,
>>
>> Allan Marcus
>> 505-667-5666
>>
>>
>>
>> On Sep 24, 2009, at 10:13 AM, Allan Marcus wrote:
>>
>>
>>> Hello,
>>>
>>> When I run puppetmasterd (0.25.1.rc1) with webrick, it works fine  
>>> and
>>> my test client and connect and do everything it needs to do.
>>>
>>> When I run pappetmasterd with passenger (2.2.2) I see the following
>>> error in the log:
>>>
>>> Thu Sep 24 10:09:43 puppet-dev puppetmasterd[732] <Notice>:
Denying
>>> unauthenticated client marcusmini-a.lanl.gov(<ip removed>)
access to
>>> fileserver.list
>>>
>>> there are a number of related errors all seemingly stemming from  
>>> this
>>> authentication error.
>>>
>>> Any ideas? Any more info that could help?
>>>
>>> ---
>>> Thanks,
>>>
>>> Allan Marcus
>>> 505-667-5666
>>>
>>>
>>>
>>>
>>>
>>
>>
>>>
>>
> You might be running puppet master under a different user or the  
> puppet
> master certificate changed because puppet thinks it has a different
> name. Other than that I have no ideea. :-?
>
>
> Silviu
>
> >

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

it just gets worse. When using a 0.24.8 client against a 0.25.1  
server, where the server is running Passenger, nothing I do in the  
auth.conf will allow the client to work.

here''s my auth.conf:

path /
auth any
allow *

I''ve also tried:

path /
auth no
allow *


and here are the errors I get. I don''t get any of these errors if I  
use Webrick.


<Notice>: Denying unauthenticated client marcusmini- 
a.lanl.gov(128.165.129.167) access to fileserver.list
<Error>: Puppet Server (Rack): Internal Server Error: Unhandled  
Exception: "Host marcusmini-a.lanl.gov(128.165.129.167) not authorized  
to call fileserver.list"
<Notice>: Denying unauthenticated client marcusmini- 
a.lanl.gov(128.165.129.167) access to fileserver.describe
<Error>: Puppet Server (Rack): Internal Server Error: Unhandled  
Exception: "Host marcusmini-a.lanl.gov(128.165.129.167) not authorized  
to call fileserver.describe"
<Notice>: Denying unauthenticated client marcusmini- 
a.lanl.gov(128.165.129.167) access to puppetmaster.getconfig
<Error>: Puppet Server (Rack): Internal Server Error: Unhandled  
Exception: "Host marcusmini-a.lanl.gov(128.165.129.167) not authorized  
to call puppetmaster.getconfig"
<Notice>: Denying unauthenticated client marcusmini- 
a.lanl.gov(128.165.129.167) access to fileserver.describe
<Error>: Puppet Server (Rack): Internal Server Error: Unhandled  
Exception: "Host marcusmini-a.lanl.gov(128.165.129.167) not authorized  
to call fileserver.describe"

Is anyone using passenger with 0.25.1?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

What does the client in question say when this happen?
Does this happen all the time?
Did you try with no auth.conf?

Christian

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Also: please check that you have the required settings in the masters
puppet.conf as mentioned in
http://github.com/reductivelabs/puppet/blob/master/ext/rack/README

If it still doesn''t work, please post a full log from master + server
for a single client run.

Christian
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

yes, I have all those settings. Attached are the relevant files.

To sum up:

Everything works fine with webrick
Nothing I do can make server 0.25.1 w/passenger work with a 0.24.8  
client
Only way I can get server 0.25.1 w/passenger to work with a 0.25.1  
client is to have a a wide open auth.conf file

path /
auth any
allow *

Thanks for your help.

---
Thanks,

Allan Marcus
505-667-5666

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---








On Sep 26, 2009, at 8:26 AM, Christian Hofstaedtler wrote:
>
> Also: please check that you have the required settings in the masters
> puppet.conf as mentioned in
http://github.com/reductivelabs/puppet/blob/master/ext/rack/README
>
> If it still doesn''t work, please post a full log from master +
server
> for a single client run.
>
> Christian
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google  
> Groups "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
> -~----------~----~----~----~------~----~------~--~---
>

I think I have it working now.

---
Thanks,

Allan Marcus
505-667-5666



On Sep 28, 2009, at 10:13 AM, Allan Marcus wrote:
> yes, I have all those settings. Attached are the relevant files.
>
> To sum up:
>
> Everything works fine with webrick
> Nothing I do can make server 0.25.1 w/passenger work with a 0.24.8
> client
> Only way I can get server 0.25.1 w/passenger to work with a 0.25.1
> client is to have a a wide open auth.conf file
>
> path /
> auth any
> allow *
>
> Thanks for your help.
>
> ---
> Thanks,
>
> Allan Marcus
> 505-667-5666
>
> >
>
<client_248.log><client_251.log><puppet.conf><server.log>
>
> On Sep 26, 2009, at 8:26 AM, Christian Hofstaedtler wrote:
>
>>
>> Also: please check that you have the required settings in the masters
>> puppet.conf as mentioned in
http://github.com/reductivelabs/puppet/blob/master/ext/rack/README
>>
>> If it still doesn''t work, please post a full log from master +
server
>> for a single client run.
>>
>> Christian
>> --~--~---------~--~----~------------~-------~--~----~
>> You received this message because you are subscribed to the Google
>> Groups "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com
>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
>> -~----------~----~----~----~------~----~------~--~---
>>
>

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

How did you resolve this? I''m having this problem now.

On Mon, Sep 28, 2009 at 9:16 AM, Allan Marcus <allan@lanl.gov>
wrote:
>
> I think I have it working now.
>
> ---
> Thanks,
>
> Allan Marcus
> 505-667-5666
>
>
>
> On Sep 28, 2009, at 10:13 AM, Allan Marcus wrote:
>
>> yes, I have all those settings. Attached are the relevant files.
>>
>> To sum up:
>>
>> Everything works fine with webrick
>> Nothing I do can make server 0.25.1 w/passenger work with a 0.24.8
>> client
>> Only way I can get server 0.25.1 w/passenger to work with a 0.25.1
>> client is to have a a wide open auth.conf file
>>
>> path /
>> auth any
>> allow *
>>
>> Thanks for your help.
>>
>> ---
>> Thanks,
>>
>> Allan Marcus
>> 505-667-5666
>>
>> >
>>
<client_248.log><client_251.log><puppet.conf><server.log>
>>
>> On Sep 26, 2009, at 8:26 AM, Christian Hofstaedtler wrote:
>>
>>>
>>> Also: please check that you have the required settings in the
masters
>>> puppet.conf as mentioned in
http://github.com/reductivelabs/puppet/blob/master/ext/rack/README
>>>
>>> If it still doesn''t work, please post a full log from
master + server
>>> for a single client run.
>>>
>>> Christian
>>> >>>
>>
>
>
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
> -~----------~----~----~----~------~----~------~--~---
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

We are hitting same problem, how did you solved this?

El dc 04 de 11 de 2009 a les 16:11 -0800, en/na Paul Lathrop va
escriure:
> How did you resolve this? I''m having this problem now.
> 
> On Mon, Sep 28, 2009 at 9:16 AM, Allan Marcus <allan@lanl.gov> wrote:
> >
> > I think I have it working now.
> >
> > ---
> > Thanks,
> >
> > Allan Marcus
> > 505-667-5666
> >
> >
> >
> > On Sep 28, 2009, at 10:13 AM, Allan Marcus wrote:
> >
> >> yes, I have all those settings. Attached are the relevant files.
> >>
> >> To sum up:
> >>
> >> Everything works fine with webrick
> >> Nothing I do can make server 0.25.1 w/passenger work with a 0.24.8
> >> client
> >> Only way I can get server 0.25.1 w/passenger to work with a 0.25.1
> >> client is to have a a wide open auth.conf file
> >>
> >> path /
> >> auth any
> >> allow *
> >>
> >> Thanks for your help.
> >>
> >> ---
> >> Thanks,
> >>
> >> Allan Marcus
> >> 505-667-5666
> >>
> >> >
> >>
<client_248.log><client_251.log><puppet.conf><server.log>
> >>
> >> On Sep 26, 2009, at 8:26 AM, Christian Hofstaedtler wrote:
> >>
> >>>
> >>> Also: please check that you have the required settings in the
masters
> >>> puppet.conf as mentioned in
http://github.com/reductivelabs/puppet/blob/master/ext/rack/README
> >>>
> >>> If it still doesn''t work, please post a full log from
master + server
> >>> for a single client run.
> >>>
> >>> Christian
> >>> >>>
> >>
> >
> >
> > --~--~---------~--~----~------------~-------~--~----~
> > You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com
> > To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
> > For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
> > -~----------~----~----~----~------~----~------~--~---
> >
> >
> 
> --~--~---------~--~----~------------~-------~--~----~
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
> -~----------~----~----~----~------~----~------~--~---
> 
--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

What''s your apache vhost config? Passenger 2.2.2 with 0.25.1
didn''t work
for me with the config from the example in 0.25.1 tree
I think there is an error in the 0.25.1 example one.

I had to add:
         RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
         RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
         RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e


Silviu

On 17.12.2009 15:22, lluis wrote:
> We are hitting same problem, how did you solved this?
>
> El dc 04 de 11 de 2009 a les 16:11 -0800, en/na Paul Lathrop va
> escriure:
>    
>> How did you resolve this? I''m having this problem now.
>>
>> On Mon, Sep 28, 2009 at 9:16 AM, Allan Marcus<allan@lanl.gov> 
wrote:
>>      
>>> I think I have it working now.
>>>
>>> ---
>>> Thanks,
>>>
>>> Allan Marcus
>>> 505-667-5666
>>>
>>>
>>>
>>> On Sep 28, 2009, at 10:13 AM, Allan Marcus wrote:
>>>
>>>        
>>>> yes, I have all those settings. Attached are the relevant
files.
>>>>
>>>> To sum up:
>>>>
>>>> Everything works fine with webrick
>>>> Nothing I do can make server 0.25.1 w/passenger work with a
0.24.8
>>>> client
>>>> Only way I can get server 0.25.1 w/passenger to work with a
0.25.1
>>>> client is to have a a wide open auth.conf file
>>>>
>>>> path /
>>>> auth any
>>>> allow *
>>>>
>>>> Thanks for your help.
>>>>
>>>> ---
>>>> Thanks,
>>>>
>>>> Allan Marcus
>>>> 505-667-5666
>>>>
>>>>          
>>>>>            
>>>>
<client_248.log><client_251.log><puppet.conf><server.log>
>>>>
>>>> On Sep 26, 2009, at 8:26 AM, Christian Hofstaedtler wrote:
>>>>
>>>>          
>>>>> Also: please check that you have the required settings in
the masters
>>>>> puppet.conf as mentioned in
http://github.com/reductivelabs/puppet/blob/master/ext/rack/README
>>>>>
>>>>> If it still doesn''t work, please post a full log
from master + server
>>>>> for a single client run.
>>>>>
>>>>> Christian
>>>>>            
>>>>>>>>                  
>>>>          
>>>
>>> --~--~---------~--~----~------------~-------~--~----~
>>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>>> To post to this group, send email to puppet-users@googlegroups.com
>>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
>>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
>>> -~----------~----~----~----~------~----~------~--~---
>>>
>>>
>>>        
>> --~--~---------~--~----~------------~-------~--~----~
>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com
>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
>> -~----------~----~----~----~------~----~------~--~---
>>
>>      
> --
>
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
>    
--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

our problem was namespaceauth.conf, since we fixed it, our 24.x clients
seems to work with 0.25 and passenger

namespaceauth.conf:
[puppetrunner]
    allow 127.0.0.1

[fileserver]
    allow *

[puppetmaster]
    allow *

[puppetbucket]
    allow *

[puppetreports]
    allow *

[resource]
    allow *

cheers,
Lluís

El dj 17 de 12 de 2009 a les 18:37 +0200, en/na Silviu Paragina va
escriure:
> What''s your apache vhost config? Passenger 2.2.2 with 0.25.1
didn''t work
> for me with the config from the example in 0.25.1 tree
> I think there is an error in the 0.25.1 example one.
> 
> I had to add:
>          RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>          RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>          RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
> 
> 
> Silviu
> 
> On 17.12.2009 15:22, lluis wrote:
> > We are hitting same problem, how did you solved this?
> >
> > El dc 04 de 11 de 2009 a les 16:11 -0800, en/na Paul Lathrop va
> > escriure:
> >    
> >> How did you resolve this? I''m having this problem now.
> >>
> >> On Mon, Sep 28, 2009 at 9:16 AM, Allan
Marcus<allan@lanl.gov>  wrote:
> >>      
> >>> I think I have it working now.
> >>>
> >>> ---
> >>> Thanks,
> >>>
> >>> Allan Marcus
> >>> 505-667-5666
> >>>
> >>>
> >>>
> >>> On Sep 28, 2009, at 10:13 AM, Allan Marcus wrote:
> >>>
> >>>        
> >>>> yes, I have all those settings. Attached are the relevant
files.
> >>>>
> >>>> To sum up:
> >>>>
> >>>> Everything works fine with webrick
> >>>> Nothing I do can make server 0.25.1 w/passenger work with
a 0.24.8
> >>>> client
> >>>> Only way I can get server 0.25.1 w/passenger to work with
a 0.25.1
> >>>> client is to have a a wide open auth.conf file
> >>>>
> >>>> path /
> >>>> auth any
> >>>> allow *
> >>>>
> >>>> Thanks for your help.
> >>>>
> >>>> ---
> >>>> Thanks,
> >>>>
> >>>> Allan Marcus
> >>>> 505-667-5666
> >>>>
> >>>>          
> >>>>>            
> >>>>
<client_248.log><client_251.log><puppet.conf><server.log>
> >>>>
> >>>> On Sep 26, 2009, at 8:26 AM, Christian Hofstaedtler wrote:
> >>>>
> >>>>          
> >>>>> Also: please check that you have the required settings
in the masters
> >>>>> puppet.conf as mentioned in
http://github.com/reductivelabs/puppet/blob/master/ext/rack/README
> >>>>>
> >>>>> If it still doesn''t work, please post a full
log from master + server
> >>>>> for a single client run.
> >>>>>
> >>>>> Christian
> >>>>>            
> >>>>>>>>                  
> >>>>          
> >>>
> >>> --~--~---------~--~----~------------~-------~--~----~
> >>> You received this message because you are subscribed to the
Google Groups "Puppet Users" group.
> >>> To post to this group, send email to
puppet-users@googlegroups.com
> >>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
> >>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
> >>> -~----------~----~----~----~------~----~------~--~---
> >>>
> >>>
> >>>        
> >> --~--~---------~--~----~------------~-------~--~----~
> >> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
> >> To post to this group, send email to puppet-users@googlegroups.com
> >> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
> >> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
> >> -~----------~----~----~----~------~----~------~--~---
> >>
> >>      
> > --
> >
> > You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> >
> >
> >    
> 
> --
> 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
> 
--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thank you Silviu - I just went through a 0.25.2 installation using
passenger 2.2.8 just yesterday and had the same issues which started
this thread:

puppetmasterd[29797]: Puppet Server (Rack): Internal Server Error:
Unhandled Exception: "Host app3.chassis1 10.x.x.x) not authorized to
call fileserver.list"
puppetmasterd[29797]: Denying unauthenticated client app3.chassis1
(10.x.x.x) access to fileserver.list

Your suggestions commends below fixed the issue..

On Dec 17 2009, 8:37 am, Silviu Paragina <sil...@paragina.ro>
wrote:
> What''s your apache vhost config? Passenger 2.2.2 with 0.25.1
didn''t work
> for me with the config from the example in 0.25.1 tree
> I think there is an error in the 0.25.1 example one.
>
> I had to add:
>          RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>          RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>          RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> Silviu
>
> On 17.12.2009 15:22, lluis wrote:
>
>
>
> > We are hitting same problem, how did you solved this?
>
> > El dc 04 de 11 de 2009 a les 16:11 -0800, en/na Paul Lathrop va
> > escriure:
>
> >> How did you resolve this? I''m having this problem now.
>
> >> On Mon, Sep 28, 2009 at 9:16 AM, Allan
Marcus<al...@lanl.gov>  wrote:
>
> >>> I think I have it working now.
>
> >>> ---
> >>> Thanks,
>
> >>> Allan Marcus
> >>> 505-667-5666
>
> >>> On Sep 28, 2009, at 10:13 AM, Allan Marcus wrote:
>
> >>>> yes, I have all those settings. Attached are the relevant
files.
>
> >>>> To sum up:
>
> >>>> Everything works fine with webrick
> >>>> Nothing I do can make server 0.25.1 w/passenger work with
a 0.24.8
> >>>> client
> >>>> Only way I can get server 0.25.1 w/passenger to work with
a 0.25.1
> >>>> client is to have a a wide open auth.conf file
>
> >>>> path /
> >>>> auth any
> >>>> allow *
>
> >>>> Thanks for your help.
>
> >>>> ---
> >>>> Thanks,
>
> >>>> Allan Marcus
> >>>> 505-667-5666
>
> >>>>
<client_248.log><client_251.log><puppet.conf><server.log>
>
> >>>> On Sep 26, 2009, at 8:26 AM, Christian Hofstaedtler wrote:
>
> >>>>> Also: please check that you have the required settings
in the masters
> >>>>> puppet.conf as mentioned
inhttp://github.com/reductivelabs/puppet/blob/master/ext/rack/README
>
> >>>>> If it still doesn''t work, please post a full
log from master + server
> >>>>> for a single client run.
>
> >>>>> Christian
>
> >>> --~--~---------~--~----~------------~-------~--~----~
> >>> You received this message because you are subscribed to the
Google Groups "Puppet Users" group.
> >>> To post to this group, send email to
puppet-users@googlegroups.com
> >>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
> >>> For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en
> >>> -~----------~----~----~----~------~----~------~--~---
>
> >> --~--~---------~--~----~------------~-------~--~----~
> >> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
> >> To post to this group, send email to puppet-users@googlegroups.com
> >> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
> >> For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en
> >> -~----------~----~----~----~------~----~------~--~---
>
> > --
>
> > You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
> > To post to this group, send email to puppet-users@googlegroups.com.
> > To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> > For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

You know, this usually means that you don''t have these settings in
your puppet.conf, as doc''ed:

Required puppet.conf settings:
  [puppetmasterd]
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY

-ch

On Jan 8, 7:30 pm, jb <jeffb...@gmail.com> wrote:
> Thank you Silviu - I just went through a 0.25.2 installation using
> passenger 2.2.8 just yesterday and had the same issues which started
> this thread:
>
> puppetmasterd[29797]: Puppet Server (Rack): Internal Server Error:
> Unhandled Exception: "Host app3.chassis1 10.x.x.x) not authorized to
> call fileserver.list"
> puppetmasterd[29797]: Denying unauthenticated client app3.chassis1
> (10.x.x.x) access to fileserver.list
>
> Your suggestions commends below fixed the issue..
>
> On Dec 17 2009, 8:37 am, Silviu Paragina <sil...@paragina.ro> wrote:
>
>
>
> > What''s your apache vhost config? Passenger 2.2.2 with 0.25.1
didn''t work
> > for me with the config from the example in 0.25.1 tree
> > I think there is an error in the 0.25.1 example one.
>
> > I had to add:
> >          RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
> >          RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
> >          RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> > Silviu
>
> > On 17.12.2009 15:22, lluis wrote:
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Christian Hofstaedtler wrote:
> You know, this usually means that you don''t have these settings in
> your puppet.conf, as doc''ed:
>
> Required puppet.conf settings:
>   [puppetmasterd]
>     ssl_client_header = SSL_CLIENT_S_DN
>     ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> -ch
>
>   
Noted.
Does this work with both passenger 2.2.2, 2.2.5 and above?



Silviu

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.