1st off sorry this is so long... I didn''t see any way to attach files when creating the discussion. I am trying to get my puppetmaster (0.25.0) working with passenger (2.2.5) on Solaris (It works fine using webrick). At this point I think it "should" work, but get a 400 error (Located below) when running puppetd on the client. The server doesn''t have anything in the error log indicating a problem, but the access log shows the server returning a 400 error. Any ideas about what the problem could be or how to enable additional logging on the server side (I tried uncommenting << "--debug" in my config.ru, but don''t get anything additional). I have also included my config.ru, puppet.conf, and ssl.conf below the errors. Note: The install paths are bit odd, but I am trying to do this so that I can share a main "opt" puppet package with all zones and then have a puppetmd package that uses the same install as puppet itself. *** client error output *** bash-3.00# /opt/dhw/sbin/puppetd --server dhwsol105prod1z3.dhw.state.id.us --test --debug --environment=prod debug: Failed to load library ''shadow'' for feature ''libshadow'' debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ dscl does not exist debug: Failed to load library ''ldap'' for feature ''ldap'' debug: Puppet::Type::User::ProviderLdap: feature ldap is missing debug: /File[/etc/puppet/ssl/crl.pem]: Autorequiring File[/etc/puppet/ ssl] debug: /File[/etc/puppet/ssl/certs/ dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ ssl/certs] debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ ssl] debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ ssl] debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/ssl/private_keys/ dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ ssl/private_keys] debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/ puppet/state] debug: /File[/etc/puppet/ssl/public_keys/ dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ ssl/public_keys] debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File [/etc/puppet/ssl] debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/ state] debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/ puppet/state] debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ puppet/ssl] debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/ puppet] debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ puppet/ssl/certs] debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ puppet/ssl] debug: Finishing transaction 9414216 with 0 changes debug: Using cached certificate for ca debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us debug: Loaded state in 0.03 seconds debug: Using cached certificate for ca debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us debug: Using cached certificate_revocation_list for ca debug: Puppet::Network::Format[json]: false value when expecting true debug: Format s not supported for Puppet::Resource::Catalog; has not implemented method ''from_s'' err: Could not retrieve catalog from remote server: Error 400 on SERVER: Bad Request warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run *** Server error output *** 10.10.1.51 - - [20/Oct/2009:13:44:30 -0600] "GET /prod/catalog/ dhwsol105prod1.dhw.state.id.us?facts_format=yaml&facts=---%2B%2521ruby %252Fobject%253APuppet%253A%253ANode%253A%253AFacts%2B%250Aexpiration %253A%2B2009-10-20%2B14%253A14%253A29.927609%2B-06%253A00%250Aname%253A %2Bdhwsol105prod1.dhw.state.id.us%250Avalues%253A%2B%250A%2B%2Bkernel %253A%2BSunOS%250A%2B%2Bipaddress_vnet0_3%253A%2B10.10.1.57%250A%2B %2Bnetwork_vnet0_2%253A%2B10.10.1.0%250A%2B%2Bnetmask%253A %2B255.255.255.0%250A%2B%2Bnetmask_lo0%253A%2B255.0.0.0%250A%2B %2Buniqueid%253A%2B84f9e03a%250A%2B%2Bfqdn%253A %2Bdhwsol105prod1.dhw.state.id.us%250A%2B%2Bnetwork_vnet0_3%253A %2B10.10.1.0%250A%2B%2Boperatingsystemrelease%253A%2B %25225.10%2522%250A%2B%2Bclientversion%253A%2B0.25.0%250A%2B %2Bipaddress%253A%2B10.10.1.51%250A%2B%2Bvirtual%253A%2Bphysical%250A %2B%2Bnetmask_lo0_1%253A%2B255.0.0.0%250A%2B%2Bis_virtual%253A%2B %2522false%2522%250A%2B%2Bps%253A%2Bps%2B-ef%250A%2B %2Bipaddress_vnet0%253A%2B10.10.1.51%250A%2B%2Brubysitedir%253A%2B %252Fopt%252Fdhw%252Flib%252Fruby%252Fsite_ruby%252F1.8%250A%2B %2Bnetmask_lo0_2%253A%2B255.0.0.0%250A%2B%2Bhardwaremodel%253A%2Bsun4v %250A%2B%2Bkernelrelease%253A%2B%25225.10%2522%250A%2B %2Bnetwork_vnet0%253A%2B10.10.1.0%250A%2B%2Bnetmask_lo0_3%253A %2B255.0.0.0%250A%2B%2Bdomain%253A%2Bdhw.state.id.us%250A%2B%2Btimezone %253A%2BMDT%250A%2B%2Bid%253A%2Broot%250A%2B%2Bnetwork_lo0%253A %2B127.0.0.0%250A%2B%2Bipaddress_lo0_1%253A%2B127.0.0.1%250A%2B %2Bhardwareisa%253A%2Bsparc%250A%2B%2Bmacaddress_vnet0%253A %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Binterfaces%253A %2Blo0%252Clo0_1%252Clo0_2%252Clo0_3%252Cvnet0%252Cvnet0_1%252Cvnet0_2%252Cvnet0_3%250A %2B%2Bipaddress_lo0_2%253A%2B127.0.0.1%250A%2B%2Bpath%253A%2B%252Fusr %252Fsbin%253A%252Fusr%252Fbin%253A%252Fusr%252Fccs%252Fbin%253A %252Fopt%252FSUNWldm%252Fbin%253A%252Fopt%252Fsmuser%252Fwebagent %252Fbin%253A%252Fsbin%250A%2B%2Bnetwork_lo0_1%253A%2B127.0.0.0%250A%2B %2Bnetmask_vnet0_1%253A%2B255.255.255.0%250A%2B%2Bkernelversion%253A %2BGeneric_141414-07%250A%2B%2Bipaddress_lo0%253A%2B127.0.0.1%250A%2B %2Benvironment%253A%2Bprod%250A%2B%2B%253F%2B%2521ruby%252Fsym %2B_timestamp%250A%2B%2B%253A%2BTue%2BOct %2B20%2B13%253A44%253A29%2B-0600%2B2009%250A%250A%2B %2Bnetmask_vnet0_2%253A%2B255.255.255.0%250A%2B%2Bpuppetversion%253A %2B0.25.0%250A%2B%2Buptime%253A%2B8%2Bday%250A%2B%2Bnetwork_lo0_2%253A %2B127.0.0.0%250A%2B%2Bipaddress_lo0_3%253A%2B127.0.0.1%250A%2B %2Bhostname%253A%2Bdhwsol105prod1%250A%2B%2Boperatingsystem%253A %2BSolaris%250A%2B%2Bipaddress_vnet0_1%253A%2B10.10.1.52%250A%2B %2Bfacterversion%253A%2B1.5.7%250A%2B%2Bmacaddress%253A %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Bnetmask_vnet0_3%253A %2B255.255.255.0%250A%2B%2Bnetwork_lo0_3%253A%2B127.0.0.0%250A%2B %2Bsshrsakey%253A %2BAAAAB3NzaC1yc2EAAAABIwAAAIEAxKVNsY3Tk78LgNboqdrTr9omRW7%252BTjD7PvyaD37NDW %252FQiaWHOxIjgQ257gO765AaekFmP%252FlI9IWA8ss2feEVOYhwms0JrOln %252BZzixI6NiUnEkW00DLR75NH5bIMmNsKDsxbwDGQuJkD2jav8WIgfMG %252BO9RYQxNNZOMu5rUDsimc%253D%250A%2B%2Bkernelmajversion%253A %2BGeneric_141414-07%250A%2B%2Bnetwork_vnet0_1%253A%2B10.10.1.0%250A%2B %2Bipaddress_vnet0_2%253A%2B10.10.1.53%250A%2B%2Brubyversion%253A %2B1.8.7%250A%2B%2Bsshdsakey%253A %2BAAAAB3NzaC1kc3MAAACBAK0sGCS6m349DPJ0ENTNBnRlrJuF9wzBqv6v91%252BYUyiTCug54DG38LhXsB5a8wzP7vFDHm91w8H6X8lHSjZAkAZj0CXuoy %252BKMypouxa4aPSIq79DHDM%252FEKUk4uoLoD1SfK9CUq%252FRpy1tJiXvp%252BHA %252B5upqd4GzJUlxyQ5XoDw81u5AAAAFQDAzYUpzs%252FGN9T9sXSgdscaw%252B %252BoRQAAAIBIjPBFixi6vEaQmRBXE1wGI7vYQ1vSD%252FY8kjPTiH1JV %252BiX4ba80qBAN4ZfOi0aItt6dil6naY%252BoagfQkETMp58dSd %252BqkwyfDtJfT6LigLJ9cA6trMEHvjDJP5nAykUWcFBiviOtvLioWJgCDzSKqsQs816imAgvEu3%252Bspub6A6iQAAAIBknje4ZSbAlB %252Bn9evhpdwYFHMq7biResm9m6SZvpOoHzgAu6qZPer91qrGvVERFNi20%252F8SgLr6%252FOlddfyr %252BfHxu7%252FesYuh %252BuKpVq9T5jhNi3cIwgTkkeAszP1MJnX32moRJ211F6oWlKW6S8tjfD1VGU5In8WzZ2s2xdM86I5e4w %253D%253D%250A%2B%2Bnetmask_vnet0%253A%2B255.255.255.0%250A HTTP/1.1" 400 38 *** config.ru file *** # a config.ru, for use with every rack-compatible webserver. # SSL needs to be handled outside this, though. # if puppet is not in your RUBYLIB: # $:.unshift(''/opt/dhw/lib'') $0 = "puppetmasterd" require ''puppet'' # if you want debugging: ARGV << "--debug" # Add configuration directory as argument ARGV << "--confdir=/etc/opt/dhw/puppetmd" ARGV << "--rack" require ''puppet/application/puppetmasterd'' # we''re usually running inside a Rack::Builder.new {} block, # therefore we need to call run *here*. run Puppet::Application[:puppetmasterd].run *** puppet.conf *** [main] # Set the environments available to puppet environments = trng,prod,qual,intg,dev,qualf # Set to sync custom facts to the clients pluginsync = true [puppetmasterd] # Added for support with Apache and passenger ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY # User and group to start puppetmasterd as user = puppetmd group = puppetmd # The port to run the puppet master on masterport = 8140 # Where SSL certificates are kept. # The default value is ''$confdir/ssl''. ssldir = $confdir/ssl # Single global manifest directory manifest = $confdir/manifests/site.pp # The location of the configuration for the fileserver fsconfig = $confdir/fileserver.conf # Where Puppet stores dynamic and growing data. # The default value is ''/var/puppet''. vardir = /var/opt/dhw/puppetmd # Set factpath so facter can load custom facts from the server # factpath = $vardir/lib/facter [prod] # The module paths to check modulepath = /etc/opt/dhw/puppetmd/prod/modules [trng] # The module paths to check modulepath = /etc/opt/dhw/puppetmd/trng/modules [qual] # The module paths to check modulepath = /etc/opt/dhw/puppetmd/qual/modules [intg] # The module paths to check modulepath = /etc/opt/dhw/puppetmd/intg/modules [dev] # The module paths to check modulepath = /etc/opt/dhw/puppetmd/dev/modules [qualf] # The module paths to check modulepath = /etc/opt/dhw/puppetmd/qualf/modules *** ssl.conf *** SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 #<IfDefine SSL> # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # #Listen 443 Listen 8140 ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin'' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). #SSLSessionCache none #SSLSessionCache shmht:/opt/apache/logs/ssl_scache(512000) #SSLSessionCache shmcb:/opt/apache/logs/ssl_scache(512000) SSLSessionCache dbm:/opt/apache/logs/ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:/opt/apache/logs/ssl_mutex # Required Passenger settings LoadModule passenger_module /etc/opt/dhw/puppetmd/lib/passenger-2.2.5/ ext/apache2/mod_passenger.so PassengerRoot /etc/opt/dhw/puppetmd/lib/passenger-2.2.5 PassengerRuby /opt/dhw/bin/ruby # you probably want to tune these settings PassengerHighPerformance on PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 # PassengerMaxRequests 1000 PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off ## ## SSL Virtual Host Context ## #<VirtualHost _default_:443> <VirtualHost dhwsol105prod1z3.dhw.state.id.us:8140> ServerAdmin root@dhwsol105prod1z3 SSLProtocol -ALL +SSLv3 +TLSv1 SSLOptions +StdEnvVars # General setup for the virtual host #DocumentRoot "/opt/apache/htdocs" DocumentRoot /etc/opt/dhw/puppetmd/rack/puppetmasterd/public RackBaseURI / <Directory /etc/opt/dhw/puppetmd/rack/puppetmasterd/> Options None AllowOverride None Order allow,deny allow from all </Directory> ErrorLog /opt/apache/logs/error_log TransferLog /opt/apache/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW: +SSLv2:+EXP:+eNULL SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) #SSLCertificateFile /opt/apache/conf/ssl.crt/server.crt #SSLCertificateFile /opt/apache/conf/ssl.crt/server-dsa.crt SSLCertificateFile /etc/opt/dhw/puppetmd/ssl/certs/ dhwsol105prod1z3.dhw.state.id.us.pem # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you''ve both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) #SSLCertificateKeyFile /opt/apache/conf/ssl.key/server.key #SSLCertificateKeyFile /opt/apache/conf/ssl.key/server-dsa.key SSLCertificateKeyFile /etc/opt/dhw/puppetmd/ssl/private_keys/ dhwsol105prod1z3.dhw.state.id.us.pem # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /opt/apache/conf/ssl.crt/ca.crt SSLCertificateChainFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crt.pem # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /opt/apache/conf/ssl.crt #SSLCACertificateFile /opt/apache/conf/ssl.crt/ca-bundle.crt SSLCACertificateFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crt.pem # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /opt/apache/conf/ssl.crl #SSLCARevocationFile /opt/apache/conf/ssl.crl/ca-bundle.crl # If Apache complains about invalid signatures on CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended. SSLCARevocationFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crl.pem # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 SSLVerifyClient optional SSLVerifyDepth 1 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line'' version of the client''s X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA''. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*'' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o CompatEnvVars: # This exports obsolete environment variables for backward compatibility # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this # to provide compatibility to existing CGI scripts. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/opt/apache/cgi-bin"> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn''t wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog /opt/apache/logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Have you tried with passenger 2.2.2? 2009/10/20 nothings_absolute <soren.morton@gmail.com>:> > 1st off sorry this is so long... I didn''t see any way to attach files > when creating the discussion. > > I am trying to get my puppetmaster (0.25.0) working with passenger > (2.2.5) on Solaris (It works fine using webrick). At this point I > think it "should" work, but get a 400 error (Located below) when > running puppetd on the client. > > The server doesn''t have anything in the error log indicating a > problem, but the access log shows the server returning a 400 error. > Any ideas about what the problem could be or how to enable additional > logging on the server side (I tried uncommenting << "--debug" in my > config.ru, but don''t get anything additional). > > I have also included my config.ru, puppet.conf, and ssl.conf below the > errors. Note: The install paths are bit odd, but I am trying to do > this so that I can share a main "opt" puppet package with all zones > and then have a puppetmd package that uses the same install as puppet > itself. > > > *** client error output *** > bash-3.00# /opt/dhw/sbin/puppetd --server > dhwsol105prod1z3.dhw.state.id.us --test --debug --environment=prod > debug: Failed to load library ''shadow'' for feature ''libshadow'' > debug: Puppet::Type::User::ProviderPw: file pw does not exist > debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ > dscl does not exist > debug: Failed to load library ''ldap'' for feature ''ldap'' > debug: Puppet::Type::User::ProviderLdap: feature ldap is missing > debug: /File[/etc/puppet/ssl/crl.pem]: Autorequiring File[/etc/puppet/ > ssl] > debug: /File[/etc/puppet/ssl/certs/ > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > ssl/certs] > debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ > ssl] > debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ > ssl] > debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/private_keys/ > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > ssl/private_keys] > debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/ > puppet/state] > debug: /File[/etc/puppet/ssl/public_keys/ > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > ssl/public_keys] > debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File > [/etc/puppet/ssl] > debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] > debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/ > state] > debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/ > puppet/state] > debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ > puppet/ssl] > debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/ > puppet] > debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ > puppet/ssl/certs] > debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ > puppet/ssl] > debug: Finishing transaction 9414216 with 0 changes > debug: Using cached certificate for ca > debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us > debug: Loaded state in 0.03 seconds > debug: Using cached certificate for ca > debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us > debug: Using cached certificate_revocation_list for ca > debug: Puppet::Network::Format[json]: false value when expecting true > debug: Format s not supported for Puppet::Resource::Catalog; has not > implemented method ''from_s'' > err: Could not retrieve catalog from remote server: Error 400 on > SERVER: Bad Request > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > > *** Server error output *** > 10.10.1.51 - - [20/Oct/2009:13:44:30 -0600] "GET /prod/catalog/ > dhwsol105prod1.dhw.state.id.us?facts_format=yaml&facts=---%2B%2521ruby > %252Fobject%253APuppet%253A%253ANode%253A%253AFacts%2B%250Aexpiration > %253A%2B2009-10-20%2B14%253A14%253A29.927609%2B-06%253A00%250Aname%253A > %2Bdhwsol105prod1.dhw.state.id.us%250Avalues%253A%2B%250A%2B%2Bkernel > %253A%2BSunOS%250A%2B%2Bipaddress_vnet0_3%253A%2B10.10.1.57%250A%2B > %2Bnetwork_vnet0_2%253A%2B10.10.1.0%250A%2B%2Bnetmask%253A > %2B255.255.255.0%250A%2B%2Bnetmask_lo0%253A%2B255.0.0.0%250A%2B > %2Buniqueid%253A%2B84f9e03a%250A%2B%2Bfqdn%253A > %2Bdhwsol105prod1.dhw.state.id.us%250A%2B%2Bnetwork_vnet0_3%253A > %2B10.10.1.0%250A%2B%2Boperatingsystemrelease%253A%2B > %25225.10%2522%250A%2B%2Bclientversion%253A%2B0.25.0%250A%2B > %2Bipaddress%253A%2B10.10.1.51%250A%2B%2Bvirtual%253A%2Bphysical%250A > %2B%2Bnetmask_lo0_1%253A%2B255.0.0.0%250A%2B%2Bis_virtual%253A%2B > %2522false%2522%250A%2B%2Bps%253A%2Bps%2B-ef%250A%2B > %2Bipaddress_vnet0%253A%2B10.10.1.51%250A%2B%2Brubysitedir%253A%2B > %252Fopt%252Fdhw%252Flib%252Fruby%252Fsite_ruby%252F1.8%250A%2B > %2Bnetmask_lo0_2%253A%2B255.0.0.0%250A%2B%2Bhardwaremodel%253A%2Bsun4v > %250A%2B%2Bkernelrelease%253A%2B%25225.10%2522%250A%2B > %2Bnetwork_vnet0%253A%2B10.10.1.0%250A%2B%2Bnetmask_lo0_3%253A > %2B255.0.0.0%250A%2B%2Bdomain%253A%2Bdhw.state.id.us%250A%2B%2Btimezone > %253A%2BMDT%250A%2B%2Bid%253A%2Broot%250A%2B%2Bnetwork_lo0%253A > %2B127.0.0.0%250A%2B%2Bipaddress_lo0_1%253A%2B127.0.0.1%250A%2B > %2Bhardwareisa%253A%2Bsparc%250A%2B%2Bmacaddress_vnet0%253A > %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Binterfaces%253A > %2Blo0%252Clo0_1%252Clo0_2%252Clo0_3%252Cvnet0%252Cvnet0_1%252Cvnet0_2%252Cvnet0_3%250A > %2B%2Bipaddress_lo0_2%253A%2B127.0.0.1%250A%2B%2Bpath%253A%2B%252Fusr > %252Fsbin%253A%252Fusr%252Fbin%253A%252Fusr%252Fccs%252Fbin%253A > %252Fopt%252FSUNWldm%252Fbin%253A%252Fopt%252Fsmuser%252Fwebagent > %252Fbin%253A%252Fsbin%250A%2B%2Bnetwork_lo0_1%253A%2B127.0.0.0%250A%2B > %2Bnetmask_vnet0_1%253A%2B255.255.255.0%250A%2B%2Bkernelversion%253A > %2BGeneric_141414-07%250A%2B%2Bipaddress_lo0%253A%2B127.0.0.1%250A%2B > %2Benvironment%253A%2Bprod%250A%2B%2B%253F%2B%2521ruby%252Fsym > %2B_timestamp%250A%2B%2B%253A%2BTue%2BOct > %2B20%2B13%253A44%253A29%2B-0600%2B2009%250A%250A%2B > %2Bnetmask_vnet0_2%253A%2B255.255.255.0%250A%2B%2Bpuppetversion%253A > %2B0.25.0%250A%2B%2Buptime%253A%2B8%2Bday%250A%2B%2Bnetwork_lo0_2%253A > %2B127.0.0.0%250A%2B%2Bipaddress_lo0_3%253A%2B127.0.0.1%250A%2B > %2Bhostname%253A%2Bdhwsol105prod1%250A%2B%2Boperatingsystem%253A > %2BSolaris%250A%2B%2Bipaddress_vnet0_1%253A%2B10.10.1.52%250A%2B > %2Bfacterversion%253A%2B1.5.7%250A%2B%2Bmacaddress%253A > %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Bnetmask_vnet0_3%253A > %2B255.255.255.0%250A%2B%2Bnetwork_lo0_3%253A%2B127.0.0.0%250A%2B > %2Bsshrsakey%253A > %2BAAAAB3NzaC1yc2EAAAABIwAAAIEAxKVNsY3Tk78LgNboqdrTr9omRW7%252BTjD7PvyaD37NDW > %252FQiaWHOxIjgQ257gO765AaekFmP%252FlI9IWA8ss2feEVOYhwms0JrOln > %252BZzixI6NiUnEkW00DLR75NH5bIMmNsKDsxbwDGQuJkD2jav8WIgfMG > %252BO9RYQxNNZOMu5rUDsimc%253D%250A%2B%2Bkernelmajversion%253A > %2BGeneric_141414-07%250A%2B%2Bnetwork_vnet0_1%253A%2B10.10.1.0%250A%2B > %2Bipaddress_vnet0_2%253A%2B10.10.1.53%250A%2B%2Brubyversion%253A > %2B1.8.7%250A%2B%2Bsshdsakey%253A > %2BAAAAB3NzaC1kc3MAAACBAK0sGCS6m349DPJ0ENTNBnRlrJuF9wzBqv6v91%252BYUyiTCug54DG38LhXsB5a8wzP7vFDHm91w8H6X8lHSjZAkAZj0CXuoy > %252BKMypouxa4aPSIq79DHDM%252FEKUk4uoLoD1SfK9CUq%252FRpy1tJiXvp%252BHA > %252B5upqd4GzJUlxyQ5XoDw81u5AAAAFQDAzYUpzs%252FGN9T9sXSgdscaw%252B > %252BoRQAAAIBIjPBFixi6vEaQmRBXE1wGI7vYQ1vSD%252FY8kjPTiH1JV > %252BiX4ba80qBAN4ZfOi0aItt6dil6naY%252BoagfQkETMp58dSd > %252BqkwyfDtJfT6LigLJ9cA6trMEHvjDJP5nAykUWcFBiviOtvLioWJgCDzSKqsQs816imAgvEu3%252Bspub6A6iQAAAIBknje4ZSbAlB > %252Bn9evhpdwYFHMq7biResm9m6SZvpOoHzgAu6qZPer91qrGvVERFNi20%252F8SgLr6%252FOlddfyr > %252BfHxu7%252FesYuh > %252BuKpVq9T5jhNi3cIwgTkkeAszP1MJnX32moRJ211F6oWlKW6S8tjfD1VGU5In8WzZ2s2xdM86I5e4w > %253D%253D%250A%2B%2Bnetmask_vnet0%253A%2B255.255.255.0%250A HTTP/1.1" > 400 38 > > > *** config.ru file *** > # a config.ru, for use with every rack-compatible webserver. > # SSL needs to be handled outside this, though. > > # if puppet is not in your RUBYLIB: > # $:.unshift(''/opt/dhw/lib'') > > $0 = "puppetmasterd" > require ''puppet'' > > # if you want debugging: > ARGV << "--debug" > > # Add configuration directory as argument > ARGV << "--confdir=/etc/opt/dhw/puppetmd" > > ARGV << "--rack" > require ''puppet/application/puppetmasterd'' > # we''re usually running inside a Rack::Builder.new {} block, > # therefore we need to call run *here*. > run Puppet::Application[:puppetmasterd].run > > > *** puppet.conf *** > [main] > # Set the environments available to puppet > environments = trng,prod,qual,intg,dev,qualf > > # Set to sync custom facts to the clients > pluginsync = true > > > [puppetmasterd] > # Added for support with Apache and passenger > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > > # User and group to start puppetmasterd as > user = puppetmd > group = puppetmd > > # The port to run the puppet master on > masterport = 8140 > > # Where SSL certificates are kept. > # The default value is ''$confdir/ssl''. > ssldir = $confdir/ssl > > # Single global manifest directory > manifest = $confdir/manifests/site.pp > > # The location of the configuration for the fileserver > fsconfig = $confdir/fileserver.conf > > # Where Puppet stores dynamic and growing data. > # The default value is ''/var/puppet''. > vardir = /var/opt/dhw/puppetmd > > # Set factpath so facter can load custom facts from the server > # factpath = $vardir/lib/facter > > > [prod] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/prod/modules > > > [trng] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/trng/modules > > > [qual] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/qual/modules > > > [intg] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/intg/modules > > > [dev] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/dev/modules > > > [qualf] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/qualf/modules > > > *** ssl.conf *** > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > #SSLRandomSeed startup file:/dev/random 512 > #SSLRandomSeed startup file:/dev/urandom 512 > #SSLRandomSeed connect file:/dev/random 512 > #SSLRandomSeed connect file:/dev/urandom 512 > > #<IfDefine SSL> > > # > # When we also provide SSL we have to listen to the > # standard HTTP port (see above) and to the HTTPS port > # > # Note: Configurations that use IPv6 but not IPv4-mapped addresses > need two > # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" > # > #Listen 443 > Listen 8140 > > ## > ## SSL Global Context > ## > ## All SSL configuration in this context applies both to > ## the main server and all SSL-enabled virtual hosts. > ## > > # > # Some MIME-types for downloading Certificates and CRLs > # > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > > # Pass Phrase Dialog: > # Configure the pass phrase gathering process. > # The filtering dialog program (`builtin'' is a internal > # terminal dialog) has to provide the pass phrase on stdout. > SSLPassPhraseDialog builtin > > # Inter-Process Session Cache: > # Configure the SSL Session Cache: First the mechanism > # to use and second the expiring timeout (in seconds). > #SSLSessionCache none > #SSLSessionCache shmht:/opt/apache/logs/ssl_scache(512000) > #SSLSessionCache shmcb:/opt/apache/logs/ssl_scache(512000) > SSLSessionCache dbm:/opt/apache/logs/ssl_scache > SSLSessionCacheTimeout 300 > > # Semaphore: > # Configure the path to the mutual exclusion semaphore the > # SSL engine uses internally for inter-process synchronization. > SSLMutex file:/opt/apache/logs/ssl_mutex > > > # Required Passenger settings > LoadModule passenger_module /etc/opt/dhw/puppetmd/lib/passenger-2.2.5/ > ext/apache2/mod_passenger.so > PassengerRoot /etc/opt/dhw/puppetmd/lib/passenger-2.2.5 > PassengerRuby /opt/dhw/bin/ruby > > # you probably want to tune these settings > PassengerHighPerformance on > PassengerMaxPoolSize 12 > PassengerPoolIdleTime 1500 > # PassengerMaxRequests 1000 > PassengerStatThrottleRate 120 > RackAutoDetect Off > RailsAutoDetect Off > > ## > ## SSL Virtual Host Context > ## > > #<VirtualHost _default_:443> > > <VirtualHost dhwsol105prod1z3.dhw.state.id.us:8140> > ServerAdmin root@dhwsol105prod1z3 > > SSLProtocol -ALL +SSLv3 +TLSv1 > SSLOptions +StdEnvVars > > # General setup for the virtual host > #DocumentRoot "/opt/apache/htdocs" > DocumentRoot /etc/opt/dhw/puppetmd/rack/puppetmasterd/public > > RackBaseURI / > > <Directory /etc/opt/dhw/puppetmd/rack/puppetmasterd/> > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > > ErrorLog /opt/apache/logs/error_log > TransferLog /opt/apache/logs/access_log > > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > SSLEngine on > > # SSL Cipher Suite: > # List the ciphers that the client is permitted to negotiate. > # See the mod_ssl documentation for a complete list. > #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW: > +SSLv2:+EXP:+eNULL > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > > # Server Certificate: > # Point SSLCertificateFile at a PEM encoded certificate. If > # the certificate is encrypted, then you will be prompted for a > # pass phrase. Note that a kill -HUP will prompt again. Keep > # in mind that if you have both an RSA and a DSA certificate you > # can configure both in parallel (to also allow the use of DSA > # ciphers, etc.) > #SSLCertificateFile /opt/apache/conf/ssl.crt/server.crt > #SSLCertificateFile /opt/apache/conf/ssl.crt/server-dsa.crt > SSLCertificateFile /etc/opt/dhw/puppetmd/ssl/certs/ > dhwsol105prod1z3.dhw.state.id.us.pem > > # Server Private Key: > # If the key is not combined with the certificate, use this > # directive to point at the key file. Keep in mind that if > # you''ve both a RSA and a DSA private key you can configure > # both in parallel (to also allow the use of DSA ciphers, etc.) > #SSLCertificateKeyFile /opt/apache/conf/ssl.key/server.key > #SSLCertificateKeyFile /opt/apache/conf/ssl.key/server-dsa.key > SSLCertificateKeyFile /etc/opt/dhw/puppetmd/ssl/private_keys/ > dhwsol105prod1z3.dhw.state.id.us.pem > > # Server Certificate Chain: > # Point SSLCertificateChainFile at a file containing the > # concatenation of PEM encoded CA certificates which form the > # certificate chain for the server certificate. Alternatively > # the referenced file can be the same as SSLCertificateFile > # when the CA certificates are directly appended to the server > # certificate for convinience. > #SSLCertificateChainFile /opt/apache/conf/ssl.crt/ca.crt > SSLCertificateChainFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crt.pem > > # Certificate Authority (CA): > # Set the CA certificate verification path where to find CA > # certificates for client authentication or alternatively one > # huge file containing all of them (file must be PEM encoded) > # Note: Inside SSLCACertificatePath you need hash symlinks > # to point to the certificate files. Use the provided > # Makefile to update the hash symlinks after changes. > #SSLCACertificatePath /opt/apache/conf/ssl.crt > #SSLCACertificateFile /opt/apache/conf/ssl.crt/ca-bundle.crt > SSLCACertificateFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crt.pem > > # Certificate Revocation Lists (CRL): > # Set the CA revocation path where to find CA CRLs for client > # authentication or alternatively one huge file containing all > # of them (file must be PEM encoded) > # Note: Inside SSLCARevocationPath you need hash symlinks > # to point to the certificate files. Use the provided > # Makefile to update the hash symlinks after changes. > #SSLCARevocationPath /opt/apache/conf/ssl.crl > #SSLCARevocationFile /opt/apache/conf/ssl.crl/ca-bundle.crl > # If Apache complains about invalid signatures on CRL, you can try > disabling > # CRL checking by commenting the next line, but this is not > recommended. > SSLCARevocationFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crl.pem > > # Client Authentication (Type): > # Client certificate verification type and depth. Types are > # none, optional, require and optional_no_ca. Depth is a > # number which specifies how deeply to verify the certificate > # issuer chain before deciding the certificate is not valid. > #SSLVerifyClient require > #SSLVerifyDepth 10 > SSLVerifyClient optional > SSLVerifyDepth 1 > > # Access Control: > # With SSLRequire you can do per-directory access control based > # on arbitrary complex boolean expressions containing server > # variable checks and other lookup directives. The syntax is a > # mixture between C and Perl. See the mod_ssl documentation > # for more details. > #<Location /> > #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ > # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ > # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ > # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ > # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ > #</Location> > > # SSL Engine Options: > # Set various options for the SSL engine. > # o FakeBasicAuth: > # Translate the client X.509 into a Basic Authorisation. This > means that > # the standard Auth/DBMAuth methods can be used for access > control. The > # user name is the `one line'' version of the client''s X.509 > certificate. > # Note that no password is obtained from the user. Every entry in > the user > # file needs this password: `xxj31ZMTZzkVA''. > # o ExportCertData: > # This exports two additional environment variables: > SSL_CLIENT_CERT and > # SSL_SERVER_CERT. These contain the PEM-encoded certificates of > the > # server (always existing) and the client (only existing when > client > # authentication is used). This can be used to import the > certificates > # into CGI scripts. > # o StdEnvVars: > # This exports the standard SSL/TLS related `SSL_*'' environment > variables. > # Per default this exportation is switched off for performance > reasons, > # because the extraction step is an expensive operation and is > usually > # useless for serving static content. So one usually enables the > # exportation for CGI and SSI requests only. > # o CompatEnvVars: > # This exports obsolete environment variables for backward > compatibility > # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. > Use this > # to provide compatibility to existing CGI scripts. > # o StrictRequire: > # This denies access when "SSLRequireSSL" or "SSLRequire" applied > even > # under a "Satisfy any" situation, i.e. when it applies access is > denied > # and no other module can change it. > # o OptRenegotiate: > # This enables optimized SSL connection renegotiation handling > when SSL > # directives are used in per-directory context. > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars > +StrictRequire > <FilesMatch "\.(cgi|shtml|phtml|php3?)$"> > SSLOptions +StdEnvVars > </FilesMatch> > <Directory "/opt/apache/cgi-bin"> > SSLOptions +StdEnvVars > </Directory> > > # SSL Protocol Adjustments: > # The safe and default but still SSL/TLS standard compliant shutdown > # approach is that mod_ssl sends the close notify alert but doesn''t > wait for > # the close notify alert from client. When you need a different > shutdown > # approach you can use one of the following variables: > # o ssl-unclean-shutdown: > # This forces an unclean shutdown when the connection is closed, > i.e. no > # SSL close notify alert is send or allowed to received. This > violates > # the SSL/TLS standard but is needed for some brain-dead browsers. > Use > # this when you receive I/O errors because of the standard > approach where > # mod_ssl sends the close notify alert. > # o ssl-accurate-shutdown: > # This forces an accurate shutdown when the connection is closed, > i.e. a > # SSL close notify alert is send and mod_ssl waits for the close > notify > # alert of the client. This is 100% SSL/TLS standard compliant, > but in > # practice often causes hanging connections with brain-dead > browsers. Use > # this only for browsers where you know that their SSL > implementation > # works correctly. > # Notice: Most problems of broken clients are also related to the > HTTP > # keep-alive facility, so you usually additionally want to disable > # keep-alive for those clients, too. Use variable "nokeepalive" for > this. > # Similarly, one has to force some clients to use HTTP/1.0 to > workaround > # their broken HTTP/1.1 implementation. Use variables > "downgrade-1.0" and > # "force-response-1.0" for this. > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > # Per-Server Logging: > # The home of a custom SSL log file. Use this when you want a > # compact non-error SSL logfile on a virtual host basis. > CustomLog /opt/apache/logs/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > </VirtualHost> > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
I have tried 2.2.2, but couldn''t get it to compile successfully. It looked like there were some code changes that I could make to the 2.2.2 source to get it working, but applying a single fix (for the solaris related bug) to 2.2.5 seemed like it was the better route to go. I also tried 2.2.4 and found that it doesn''t work either (I get the same error message). Thanks! Soren On Oct 20, 2:35 pm, Matt <mattmora...@gmail.com> wrote:> Have you tried with passenger 2.2.2? > > 2009/10/20 nothings_absolute <soren.mor...@gmail.com>: > > > > > > > 1st off sorry this is so long... I didn''t see any way to attach files > > when creating the discussion. > > > I am trying to get my puppetmaster (0.25.0) working with passenger > > (2.2.5) on Solaris (It works fine using webrick). At this point I > > think it "should" work, but get a 400 error (Located below) when > > running puppetd on the client. > > > The server doesn''t have anything in the error log indicating a > > problem, but the access log shows the server returning a 400 error. > > Any ideas about what the problem could be or how to enable additional > > logging on the server side (I tried uncommenting << "--debug" in my > > config.ru, but don''t get anything additional). > > > I have also included my config.ru, puppet.conf, and ssl.conf below the > > errors. Note: The install paths are bit odd, but I am trying to do > > this so that I can share a main "opt" puppet package with all zones > > and then have a puppetmd package that uses the same install as puppet > > itself. > > > *** client error output *** > > bash-3.00# /opt/dhw/sbin/puppetd --server > > dhwsol105prod1z3.dhw.state.id.us --test --debug --environment=prod > > debug: Failed to load library ''shadow'' for feature ''libshadow'' > > debug: Puppet::Type::User::ProviderPw: file pw does not exist > > debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ > > dscl does not exist > > debug: Failed to load library ''ldap'' for feature ''ldap'' > > debug: Puppet::Type::User::ProviderLdap: feature ldap is missing > > debug: /File[/etc/puppet/ssl/crl.pem]: Autorequiring File[/etc/puppet/ > > ssl] > > debug: /File[/etc/puppet/ssl/certs/ > > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > > ssl/certs] > > debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ > > ssl] > > debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ > > ssl] > > debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet] > > debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] > > debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] > > debug: /File[/etc/puppet/ssl/private_keys/ > > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > > ssl/private_keys] > > debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/ > > puppet/state] > > debug: /File[/etc/puppet/ssl/public_keys/ > > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > > ssl/public_keys] > > debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File > > [/etc/puppet/ssl] > > debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] > > debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] > > debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet] > > debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/ > > state] > > debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/ > > puppet/state] > > debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] > > debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ > > puppet/ssl] > > debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/ > > puppet] > > debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ > > puppet/ssl/certs] > > debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ > > puppet/ssl] > > debug: Finishing transaction 9414216 with 0 changes > > debug: Using cached certificate for ca > > debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us > > debug: Loaded state in 0.03 seconds > > debug: Using cached certificate for ca > > debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us > > debug: Using cached certificate_revocation_list for ca > > debug: Puppet::Network::Format[json]: false value when expecting true > > debug: Format s not supported for Puppet::Resource::Catalog; has not > > implemented method ''from_s'' > > err: Could not retrieve catalog from remote server: Error 400 on > > SERVER: Bad Request > > warning: Not using cache on failed catalog > > err: Could not retrieve catalog; skipping run > > > *** Server error output *** > > 10.10.1.51 - - [20/Oct/2009:13:44:30 -0600] "GET /prod/catalog/ > > dhwsol105prod1.dhw.state.id.us?facts_format=yaml&facts=---%2B%2521ruby > > %252Fobject%253APuppet%253A%253ANode%253A%253AFacts%2B%250Aexpiration > > %253A%2B2009-10-20%2B14%253A14%253A29.927609%2B-06%253A00%250Aname%253A > > %2Bdhwsol105prod1.dhw.state.id.us%250Avalues%253A%2B%250A%2B%2Bkernel > > %253A%2BSunOS%250A%2B%2Bipaddress_vnet0_3%253A%2B10.10.1.57%250A%2B > > %2Bnetwork_vnet0_2%253A%2B10.10.1.0%250A%2B%2Bnetmask%253A > > %2B255.255.255.0%250A%2B%2Bnetmask_lo0%253A%2B255.0.0.0%250A%2B > > %2Buniqueid%253A%2B84f9e03a%250A%2B%2Bfqdn%253A > > %2Bdhwsol105prod1.dhw.state.id.us%250A%2B%2Bnetwork_vnet0_3%253A > > %2B10.10.1.0%250A%2B%2Boperatingsystemrelease%253A%2B > > %25225.10%2522%250A%2B%2Bclientversion%253A%2B0.25.0%250A%2B > > %2Bipaddress%253A%2B10.10.1.51%250A%2B%2Bvirtual%253A%2Bphysical%250A > > %2B%2Bnetmask_lo0_1%253A%2B255.0.0.0%250A%2B%2Bis_virtual%253A%2B > > %2522false%2522%250A%2B%2Bps%253A%2Bps%2B-ef%250A%2B > > %2Bipaddress_vnet0%253A%2B10.10.1.51%250A%2B%2Brubysitedir%253A%2B > > %252Fopt%252Fdhw%252Flib%252Fruby%252Fsite_ruby%252F1.8%250A%2B > > %2Bnetmask_lo0_2%253A%2B255.0.0.0%250A%2B%2Bhardwaremodel%253A%2Bsun4v > > %250A%2B%2Bkernelrelease%253A%2B%25225.10%2522%250A%2B > > %2Bnetwork_vnet0%253A%2B10.10.1.0%250A%2B%2Bnetmask_lo0_3%253A > > %2B255.0.0.0%250A%2B%2Bdomain%253A%2Bdhw.state.id.us%250A%2B%2Btimezone > > %253A%2BMDT%250A%2B%2Bid%253A%2Broot%250A%2B%2Bnetwork_lo0%253A > > %2B127.0.0.0%250A%2B%2Bipaddress_lo0_1%253A%2B127.0.0.1%250A%2B > > %2Bhardwareisa%253A%2Bsparc%250A%2B%2Bmacaddress_vnet0%253A > > %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Binterfaces%253A > > %2Blo0%252Clo0_1%252Clo0_2%252Clo0_3%252Cvnet0%252Cvnet0_1%252Cvnet0_2%252Cvnet0_3%250A > > %2B%2Bipaddress_lo0_2%253A%2B127.0.0.1%250A%2B%2Bpath%253A%2B%252Fusr > > %252Fsbin%253A%252Fusr%252Fbin%253A%252Fusr%252Fccs%252Fbin%253A > > %252Fopt%252FSUNWldm%252Fbin%253A%252Fopt%252Fsmuser%252Fwebagent > > %252Fbin%253A%252Fsbin%250A%2B%2Bnetwork_lo0_1%253A%2B127.0.0.0%250A%2B > > %2Bnetmask_vnet0_1%253A%2B255.255.255.0%250A%2B%2Bkernelversion%253A > > %2BGeneric_141414-07%250A%2B%2Bipaddress_lo0%253A%2B127.0.0.1%250A%2B > > %2Benvironment%253A%2Bprod%250A%2B%2B%253F%2B%2521ruby%252Fsym > > %2B_timestamp%250A%2B%2B%253A%2BTue%2BOct > > %2B20%2B13%253A44%253A29%2B-0600%2B2009%250A%250A%2B > > %2Bnetmask_vnet0_2%253A%2B255.255.255.0%250A%2B%2Bpuppetversion%253A > > %2B0.25.0%250A%2B%2Buptime%253A%2B8%2Bday%250A%2B%2Bnetwork_lo0_2%253A > > %2B127.0.0.0%250A%2B%2Bipaddress_lo0_3%253A%2B127.0.0.1%250A%2B > > %2Bhostname%253A%2Bdhwsol105prod1%250A%2B%2Boperatingsystem%253A > > %2BSolaris%250A%2B%2Bipaddress_vnet0_1%253A%2B10.10.1.52%250A%2B > > %2Bfacterversion%253A%2B1.5.7%250A%2B%2Bmacaddress%253A > > %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Bnetmask_vnet0_3%253A > > %2B255.255.255.0%250A%2B%2Bnetwork_lo0_3%253A%2B127.0.0.0%250A%2B > > %2Bsshrsakey%253A > > %2BAAAAB3NzaC1yc2EAAAABIwAAAIEAxKVNsY3Tk78LgNboqdrTr9omRW7%252BTjD7PvyaD37NDW > > %252FQiaWHOxIjgQ257gO765AaekFmP%252FlI9IWA8ss2feEVOYhwms0JrOln > > %252BZzixI6NiUnEkW00DLR75NH5bIMmNsKDsxbwDGQuJkD2jav8WIgfMG > > %252BO9RYQxNNZOMu5rUDsimc%253D%250A%2B%2Bkernelmajversion%253A > > %2BGeneric_141414-07%250A%2B%2Bnetwork_vnet0_1%253A%2B10.10.1.0%250A%2B > > %2Bipaddress_vnet0_2%253A%2B10.10.1.53%250A%2B%2Brubyversion%253A > > %2B1.8.7%250A%2B%2Bsshdsakey%253A > > %2BAAAAB3NzaC1kc3MAAACBAK0sGCS6m349DPJ0ENTNBnRlrJuF9wzBqv6v91%252BYUyiTCug54DG38LhXsB5a8wzP7vFDHm91w8H6X8lHSjZAkAZj0CXuoy > > %252BKMypouxa4aPSIq79DHDM%252FEKUk4uoLoD1SfK9CUq%252FRpy1tJiXvp%252BHA > > %252B5upqd4GzJUlxyQ5XoDw81u5AAAAFQDAzYUpzs%252FGN9T9sXSgdscaw%252B > > %252BoRQAAAIBIjPBFixi6vEaQmRBXE1wGI7vYQ1vSD%252FY8kjPTiH1JV > > %252BiX4ba80qBAN4ZfOi0aItt6dil6naY%252BoagfQkETMp58dSd > > %252BqkwyfDtJfT6LigLJ9cA6trMEHvjDJP5nAykUWcFBiviOtvLioWJgCDzSKqsQs816imAgvEu3%252Bspub6A6iQAAAIBknje4ZSbAlB > > %252Bn9evhpdwYFHMq7biResm9m6SZvpOoHzgAu6qZPer91qrGvVERFNi20%252F8SgLr6%252FOlddfyr > > %252BfHxu7%252FesYuh > > %252BuKpVq9T5jhNi3cIwgTkkeAszP1MJnX32moRJ211F6oWlKW6S8tjfD1VGU5In8WzZ2s2xdM86I5e4w > > %253D%253D%250A%2B%2Bnetmask_vnet0%253A%2B255.255.255.0%250A HTTP/1.1" > > 400 38 > > > *** config.ru file *** > > # a config.ru, for use with every rack-compatible webserver. > > # SSL needs to be handled outside this, though. > > > # if puppet is not in your RUBYLIB: > > # $:.unshift(''/opt/dhw/lib'') > > > $0 = "puppetmasterd" > > require ''puppet'' > > > # if you want debugging: > > ARGV << "--debug" > > > # Add configuration directory as argument > > ARGV << "--confdir=/etc/opt/dhw/puppetmd" > > > ARGV << "--rack" > > require ''puppet/application/puppetmasterd'' > > # we''re usually running inside a Rack::Builder.new {} block, > > # therefore we need to call run *here*. > > run Puppet::Application[:puppetmasterd].run > > > *** puppet.conf *** > > [main] > > # Set the environments available to puppet > > environments = trng,prod,qual,intg,dev,qualf > > > # Set to sync custom facts to the clients > > pluginsync = true > > > [puppetmasterd] > > # Added for support with Apache and passenger > > ssl_client_header = SSL_CLIENT_S_DN > > ssl_client_verify_header = SSL_CLIENT_VERIFY > > > # User and group to start puppetmasterd as > > user = puppetmd > > group = puppetmd > > > # The port to run the puppet master on > > masterport = 8140 > > > # Where SSL certificates are kept. > > # The default value is ''$confdir/ssl''. > > ssldir = $confdir/ssl > > > # Single global manifest directory > > manifest = $confdir/manifests/site.pp > > > # The location of the configuration for the fileserver > > fsconfig = $confdir/fileserver.conf > > > # Where Puppet stores dynamic and growing data. > > # The default value is ''/var/puppet''. > > vardir = /var/opt/dhw/puppetmd > > ... > > read more »- Hide quoted text - > > - Show quoted text ---~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---