1st off sorry this is so long... I didn''t see any way to attach files
when creating the discussion.
I am trying to get my puppetmaster (0.25.0) working with passenger
(2.2.5) on Solaris (It works fine using webrick). At this point I
think it "should" work, but get a 400 error (Located below) when
running puppetd on the client.
The server doesn''t have anything in the error log indicating a
problem, but the access log shows the server returning a 400 error.
Any ideas about what the problem could be or how to enable additional
logging on the server side (I tried uncommenting << "--debug" in
my
config.ru, but don''t get anything additional).
I have also included my config.ru, puppet.conf, and ssl.conf below the
errors. Note: The install paths are bit odd, but I am trying to do
this so that I can share a main "opt" puppet package with all zones
and then have a puppetmd package that uses the same install as puppet
itself.
*** client error output ***
bash-3.00# /opt/dhw/sbin/puppetd --server
dhwsol105prod1z3.dhw.state.id.us --test --debug --environment=prod
debug: Failed to load library ''shadow'' for feature
''libshadow''
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
dscl does not exist
debug: Failed to load library ''ldap'' for feature
''ldap''
debug: Puppet::Type::User::ProviderLdap: feature ldap is missing
debug: /File[/etc/puppet/ssl/crl.pem]: Autorequiring File[/etc/puppet/
ssl]
debug: /File[/etc/puppet/ssl/certs/
dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/
ssl/certs]
debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/
ssl]
debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/
ssl]
debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet]
debug: /File[/etc/puppet/ssl/private_keys/
dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/
ssl/private_keys]
debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/
puppet/state]
debug: /File[/etc/puppet/ssl/public_keys/
dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/
ssl/public_keys]
debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File
[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/
state]
debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/
puppet/state]
debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet]
debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/
puppet/ssl]
debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/
puppet]
debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/
puppet/ssl/certs]
debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/
puppet/ssl]
debug: Finishing transaction 9414216 with 0 changes
debug: Using cached certificate for ca
debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us
debug: Loaded state in 0.03 seconds
debug: Using cached certificate for ca
debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us
debug: Using cached certificate_revocation_list for ca
debug: Puppet::Network::Format[json]: false value when expecting true
debug: Format s not supported for Puppet::Resource::Catalog; has not
implemented method ''from_s''
err: Could not retrieve catalog from remote server: Error 400 on
SERVER: Bad Request
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
*** Server error output ***
10.10.1.51 - - [20/Oct/2009:13:44:30 -0600] "GET /prod/catalog/
dhwsol105prod1.dhw.state.id.us?facts_format=yaml&facts=---%2B%2521ruby
%252Fobject%253APuppet%253A%253ANode%253A%253AFacts%2B%250Aexpiration
%253A%2B2009-10-20%2B14%253A14%253A29.927609%2B-06%253A00%250Aname%253A
%2Bdhwsol105prod1.dhw.state.id.us%250Avalues%253A%2B%250A%2B%2Bkernel
%253A%2BSunOS%250A%2B%2Bipaddress_vnet0_3%253A%2B10.10.1.57%250A%2B
%2Bnetwork_vnet0_2%253A%2B10.10.1.0%250A%2B%2Bnetmask%253A
%2B255.255.255.0%250A%2B%2Bnetmask_lo0%253A%2B255.0.0.0%250A%2B
%2Buniqueid%253A%2B84f9e03a%250A%2B%2Bfqdn%253A
%2Bdhwsol105prod1.dhw.state.id.us%250A%2B%2Bnetwork_vnet0_3%253A
%2B10.10.1.0%250A%2B%2Boperatingsystemrelease%253A%2B
%25225.10%2522%250A%2B%2Bclientversion%253A%2B0.25.0%250A%2B
%2Bipaddress%253A%2B10.10.1.51%250A%2B%2Bvirtual%253A%2Bphysical%250A
%2B%2Bnetmask_lo0_1%253A%2B255.0.0.0%250A%2B%2Bis_virtual%253A%2B
%2522false%2522%250A%2B%2Bps%253A%2Bps%2B-ef%250A%2B
%2Bipaddress_vnet0%253A%2B10.10.1.51%250A%2B%2Brubysitedir%253A%2B
%252Fopt%252Fdhw%252Flib%252Fruby%252Fsite_ruby%252F1.8%250A%2B
%2Bnetmask_lo0_2%253A%2B255.0.0.0%250A%2B%2Bhardwaremodel%253A%2Bsun4v
%250A%2B%2Bkernelrelease%253A%2B%25225.10%2522%250A%2B
%2Bnetwork_vnet0%253A%2B10.10.1.0%250A%2B%2Bnetmask_lo0_3%253A
%2B255.0.0.0%250A%2B%2Bdomain%253A%2Bdhw.state.id.us%250A%2B%2Btimezone
%253A%2BMDT%250A%2B%2Bid%253A%2Broot%250A%2B%2Bnetwork_lo0%253A
%2B127.0.0.0%250A%2B%2Bipaddress_lo0_1%253A%2B127.0.0.1%250A%2B
%2Bhardwareisa%253A%2Bsparc%250A%2B%2Bmacaddress_vnet0%253A
%2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Binterfaces%253A
%2Blo0%252Clo0_1%252Clo0_2%252Clo0_3%252Cvnet0%252Cvnet0_1%252Cvnet0_2%252Cvnet0_3%250A
%2B%2Bipaddress_lo0_2%253A%2B127.0.0.1%250A%2B%2Bpath%253A%2B%252Fusr
%252Fsbin%253A%252Fusr%252Fbin%253A%252Fusr%252Fccs%252Fbin%253A
%252Fopt%252FSUNWldm%252Fbin%253A%252Fopt%252Fsmuser%252Fwebagent
%252Fbin%253A%252Fsbin%250A%2B%2Bnetwork_lo0_1%253A%2B127.0.0.0%250A%2B
%2Bnetmask_vnet0_1%253A%2B255.255.255.0%250A%2B%2Bkernelversion%253A
%2BGeneric_141414-07%250A%2B%2Bipaddress_lo0%253A%2B127.0.0.1%250A%2B
%2Benvironment%253A%2Bprod%250A%2B%2B%253F%2B%2521ruby%252Fsym
%2B_timestamp%250A%2B%2B%253A%2BTue%2BOct
%2B20%2B13%253A44%253A29%2B-0600%2B2009%250A%250A%2B
%2Bnetmask_vnet0_2%253A%2B255.255.255.0%250A%2B%2Bpuppetversion%253A
%2B0.25.0%250A%2B%2Buptime%253A%2B8%2Bday%250A%2B%2Bnetwork_lo0_2%253A
%2B127.0.0.0%250A%2B%2Bipaddress_lo0_3%253A%2B127.0.0.1%250A%2B
%2Bhostname%253A%2Bdhwsol105prod1%250A%2B%2Boperatingsystem%253A
%2BSolaris%250A%2B%2Bipaddress_vnet0_1%253A%2B10.10.1.52%250A%2B
%2Bfacterversion%253A%2B1.5.7%250A%2B%2Bmacaddress%253A
%2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Bnetmask_vnet0_3%253A
%2B255.255.255.0%250A%2B%2Bnetwork_lo0_3%253A%2B127.0.0.0%250A%2B
%2Bsshrsakey%253A
%2BAAAAB3NzaC1yc2EAAAABIwAAAIEAxKVNsY3Tk78LgNboqdrTr9omRW7%252BTjD7PvyaD37NDW
%252FQiaWHOxIjgQ257gO765AaekFmP%252FlI9IWA8ss2feEVOYhwms0JrOln
%252BZzixI6NiUnEkW00DLR75NH5bIMmNsKDsxbwDGQuJkD2jav8WIgfMG
%252BO9RYQxNNZOMu5rUDsimc%253D%250A%2B%2Bkernelmajversion%253A
%2BGeneric_141414-07%250A%2B%2Bnetwork_vnet0_1%253A%2B10.10.1.0%250A%2B
%2Bipaddress_vnet0_2%253A%2B10.10.1.53%250A%2B%2Brubyversion%253A
%2B1.8.7%250A%2B%2Bsshdsakey%253A
%2BAAAAB3NzaC1kc3MAAACBAK0sGCS6m349DPJ0ENTNBnRlrJuF9wzBqv6v91%252BYUyiTCug54DG38LhXsB5a8wzP7vFDHm91w8H6X8lHSjZAkAZj0CXuoy
%252BKMypouxa4aPSIq79DHDM%252FEKUk4uoLoD1SfK9CUq%252FRpy1tJiXvp%252BHA
%252B5upqd4GzJUlxyQ5XoDw81u5AAAAFQDAzYUpzs%252FGN9T9sXSgdscaw%252B
%252BoRQAAAIBIjPBFixi6vEaQmRBXE1wGI7vYQ1vSD%252FY8kjPTiH1JV
%252BiX4ba80qBAN4ZfOi0aItt6dil6naY%252BoagfQkETMp58dSd
%252BqkwyfDtJfT6LigLJ9cA6trMEHvjDJP5nAykUWcFBiviOtvLioWJgCDzSKqsQs816imAgvEu3%252Bspub6A6iQAAAIBknje4ZSbAlB
%252Bn9evhpdwYFHMq7biResm9m6SZvpOoHzgAu6qZPer91qrGvVERFNi20%252F8SgLr6%252FOlddfyr
%252BfHxu7%252FesYuh
%252BuKpVq9T5jhNi3cIwgTkkeAszP1MJnX32moRJ211F6oWlKW6S8tjfD1VGU5In8WzZ2s2xdM86I5e4w
%253D%253D%250A%2B%2Bnetmask_vnet0%253A%2B255.255.255.0%250A HTTP/1.1"
400 38
*** config.ru file ***
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.
# if puppet is not in your RUBYLIB:
# $:.unshift(''/opt/dhw/lib'')
$0 = "puppetmasterd"
require ''puppet''
# if you want debugging:
ARGV << "--debug"
# Add configuration directory as argument
ARGV << "--confdir=/etc/opt/dhw/puppetmd"
ARGV << "--rack"
require ''puppet/application/puppetmasterd''
# we''re usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Application[:puppetmasterd].run
*** puppet.conf ***
[main]
# Set the environments available to puppet
environments = trng,prod,qual,intg,dev,qualf
# Set to sync custom facts to the clients
pluginsync = true
[puppetmasterd]
# Added for support with Apache and passenger
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
# User and group to start puppetmasterd as
user = puppetmd
group = puppetmd
# The port to run the puppet master on
masterport = 8140
# Where SSL certificates are kept.
# The default value is ''$confdir/ssl''.
ssldir = $confdir/ssl
# Single global manifest directory
manifest = $confdir/manifests/site.pp
# The location of the configuration for the fileserver
fsconfig = $confdir/fileserver.conf
# Where Puppet stores dynamic and growing data.
# The default value is ''/var/puppet''.
vardir = /var/opt/dhw/puppetmd
# Set factpath so facter can load custom facts from the server
# factpath = $vardir/lib/facter
[prod]
# The module paths to check
modulepath = /etc/opt/dhw/puppetmd/prod/modules
[trng]
# The module paths to check
modulepath = /etc/opt/dhw/puppetmd/trng/modules
[qual]
# The module paths to check
modulepath = /etc/opt/dhw/puppetmd/qual/modules
[intg]
# The module paths to check
modulepath = /etc/opt/dhw/puppetmd/intg/modules
[dev]
# The module paths to check
modulepath = /etc/opt/dhw/puppetmd/dev/modules
[qualf]
# The module paths to check
modulepath = /etc/opt/dhw/puppetmd/qualf/modules
*** ssl.conf ***
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
#<IfDefine SSL>
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses
need two
# Listen directives: "Listen [::]:443" and "Listen
0.0.0.0:443"
#
#Listen 443
Listen 8140
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin'' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog builtin
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
#SSLSessionCache none
#SSLSessionCache shmht:/opt/apache/logs/ssl_scache(512000)
#SSLSessionCache shmcb:/opt/apache/logs/ssl_scache(512000)
SSLSessionCache dbm:/opt/apache/logs/ssl_scache
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex file:/opt/apache/logs/ssl_mutex
# Required Passenger settings
LoadModule passenger_module /etc/opt/dhw/puppetmd/lib/passenger-2.2.5/
ext/apache2/mod_passenger.so
PassengerRoot /etc/opt/dhw/puppetmd/lib/passenger-2.2.5
PassengerRuby /opt/dhw/bin/ruby
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
##
## SSL Virtual Host Context
##
#<VirtualHost _default_:443>
<VirtualHost dhwsol105prod1z3.dhw.state.id.us:8140>
ServerAdmin root@dhwsol105prod1z3
SSLProtocol -ALL +SSLv3 +TLSv1
SSLOptions +StdEnvVars
# General setup for the virtual host
#DocumentRoot "/opt/apache/htdocs"
DocumentRoot /etc/opt/dhw/puppetmd/rack/puppetmasterd/public
RackBaseURI /
<Directory /etc/opt/dhw/puppetmd/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog /opt/apache/logs/error_log
TransferLog /opt/apache/logs/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:
+SSLv2:+EXP:+eNULL
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
#SSLCertificateFile /opt/apache/conf/ssl.crt/server.crt
#SSLCertificateFile /opt/apache/conf/ssl.crt/server-dsa.crt
SSLCertificateFile /etc/opt/dhw/puppetmd/ssl/certs/
dhwsol105prod1z3.dhw.state.id.us.pem
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you''ve both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /opt/apache/conf/ssl.key/server.key
#SSLCertificateKeyFile /opt/apache/conf/ssl.key/server-dsa.key
SSLCertificateKeyFile /etc/opt/dhw/puppetmd/ssl/private_keys/
dhwsol105prod1z3.dhw.state.id.us.pem
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /opt/apache/conf/ssl.crt/ca.crt
SSLCertificateChainFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crt.pem
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /opt/apache/conf/ssl.crt
#SSLCACertificateFile /opt/apache/conf/ssl.crt/ca-bundle.crt
SSLCACertificateFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crt.pem
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /opt/apache/conf/ssl.crl
#SSLCARevocationFile /opt/apache/conf/ssl.crl/ca-bundle.crl
# If Apache complains about invalid signatures on CRL, you can try
disabling
# CRL checking by commenting the next line, but this is not
recommended.
SSLCARevocationFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crl.pem
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
SSLVerifyClient optional
SSLVerifyDepth 1
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA",
"Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This
means that
# the standard Auth/DBMAuth methods can be used for access
control. The
# user name is the `one line'' version of the client''s
X.509
certificate.
# Note that no password is obtained from the user. Every entry in
the user
# file needs this password: `xxj31ZMTZzkVA''.
# o ExportCertData:
# This exports two additional environment variables:
SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of
the
# server (always existing) and the client (only existing when
client
# authentication is used). This can be used to import the
certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*'' environment
variables.
# Per default this exportation is switched off for performance
reasons,
# because the extraction step is an expensive operation and is
usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o CompatEnvVars:
# This exports obsolete environment variables for backward
compatibility
# to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x.
Use this
# to provide compatibility to existing CGI scripts.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or
"SSLRequire" applied
even
# under a "Satisfy any" situation, i.e. when it applies access is
denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling
when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
+StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/opt/apache/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn''t
wait for
# the close notify alert from client. When you need a different
shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed,
i.e. no
# SSL close notify alert is send or allowed to received. This
violates
# the SSL/TLS standard but is needed for some brain-dead browsers.
Use
# this when you receive I/O errors because of the standard
approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed,
i.e. a
# SSL close notify alert is send and mod_ssl waits for the close
notify
# alert of the client. This is 100% SSL/TLS standard compliant,
but in
# practice often causes hanging connections with brain-dead
browsers. Use
# this only for browsers where you know that their SSL
implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the
HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for
this.
# Similarly, one has to force some clients to use HTTP/1.0 to
workaround
# their broken HTTP/1.1 implementation. Use variables
"downgrade-1.0" and
# "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /opt/apache/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
Have you tried with passenger 2.2.2? 2009/10/20 nothings_absolute <soren.morton@gmail.com>:> > 1st off sorry this is so long... I didn''t see any way to attach files > when creating the discussion. > > I am trying to get my puppetmaster (0.25.0) working with passenger > (2.2.5) on Solaris (It works fine using webrick). At this point I > think it "should" work, but get a 400 error (Located below) when > running puppetd on the client. > > The server doesn''t have anything in the error log indicating a > problem, but the access log shows the server returning a 400 error. > Any ideas about what the problem could be or how to enable additional > logging on the server side (I tried uncommenting << "--debug" in my > config.ru, but don''t get anything additional). > > I have also included my config.ru, puppet.conf, and ssl.conf below the > errors. Note: The install paths are bit odd, but I am trying to do > this so that I can share a main "opt" puppet package with all zones > and then have a puppetmd package that uses the same install as puppet > itself. > > > *** client error output *** > bash-3.00# /opt/dhw/sbin/puppetd --server > dhwsol105prod1z3.dhw.state.id.us --test --debug --environment=prod > debug: Failed to load library ''shadow'' for feature ''libshadow'' > debug: Puppet::Type::User::ProviderPw: file pw does not exist > debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ > dscl does not exist > debug: Failed to load library ''ldap'' for feature ''ldap'' > debug: Puppet::Type::User::ProviderLdap: feature ldap is missing > debug: /File[/etc/puppet/ssl/crl.pem]: Autorequiring File[/etc/puppet/ > ssl] > debug: /File[/etc/puppet/ssl/certs/ > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > ssl/certs] > debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ > ssl] > debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ > ssl] > debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/private_keys/ > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > ssl/private_keys] > debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/ > puppet/state] > debug: /File[/etc/puppet/ssl/public_keys/ > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > ssl/public_keys] > debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File > [/etc/puppet/ssl] > debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] > debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/ > state] > debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/ > puppet/state] > debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ > puppet/ssl] > debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/ > puppet] > debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ > puppet/ssl/certs] > debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ > puppet/ssl] > debug: Finishing transaction 9414216 with 0 changes > debug: Using cached certificate for ca > debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us > debug: Loaded state in 0.03 seconds > debug: Using cached certificate for ca > debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us > debug: Using cached certificate_revocation_list for ca > debug: Puppet::Network::Format[json]: false value when expecting true > debug: Format s not supported for Puppet::Resource::Catalog; has not > implemented method ''from_s'' > err: Could not retrieve catalog from remote server: Error 400 on > SERVER: Bad Request > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > > *** Server error output *** > 10.10.1.51 - - [20/Oct/2009:13:44:30 -0600] "GET /prod/catalog/ > dhwsol105prod1.dhw.state.id.us?facts_format=yaml&facts=---%2B%2521ruby > %252Fobject%253APuppet%253A%253ANode%253A%253AFacts%2B%250Aexpiration > %253A%2B2009-10-20%2B14%253A14%253A29.927609%2B-06%253A00%250Aname%253A > %2Bdhwsol105prod1.dhw.state.id.us%250Avalues%253A%2B%250A%2B%2Bkernel > %253A%2BSunOS%250A%2B%2Bipaddress_vnet0_3%253A%2B10.10.1.57%250A%2B > %2Bnetwork_vnet0_2%253A%2B10.10.1.0%250A%2B%2Bnetmask%253A > %2B255.255.255.0%250A%2B%2Bnetmask_lo0%253A%2B255.0.0.0%250A%2B > %2Buniqueid%253A%2B84f9e03a%250A%2B%2Bfqdn%253A > %2Bdhwsol105prod1.dhw.state.id.us%250A%2B%2Bnetwork_vnet0_3%253A > %2B10.10.1.0%250A%2B%2Boperatingsystemrelease%253A%2B > %25225.10%2522%250A%2B%2Bclientversion%253A%2B0.25.0%250A%2B > %2Bipaddress%253A%2B10.10.1.51%250A%2B%2Bvirtual%253A%2Bphysical%250A > %2B%2Bnetmask_lo0_1%253A%2B255.0.0.0%250A%2B%2Bis_virtual%253A%2B > %2522false%2522%250A%2B%2Bps%253A%2Bps%2B-ef%250A%2B > %2Bipaddress_vnet0%253A%2B10.10.1.51%250A%2B%2Brubysitedir%253A%2B > %252Fopt%252Fdhw%252Flib%252Fruby%252Fsite_ruby%252F1.8%250A%2B > %2Bnetmask_lo0_2%253A%2B255.0.0.0%250A%2B%2Bhardwaremodel%253A%2Bsun4v > %250A%2B%2Bkernelrelease%253A%2B%25225.10%2522%250A%2B > %2Bnetwork_vnet0%253A%2B10.10.1.0%250A%2B%2Bnetmask_lo0_3%253A > %2B255.0.0.0%250A%2B%2Bdomain%253A%2Bdhw.state.id.us%250A%2B%2Btimezone > %253A%2BMDT%250A%2B%2Bid%253A%2Broot%250A%2B%2Bnetwork_lo0%253A > %2B127.0.0.0%250A%2B%2Bipaddress_lo0_1%253A%2B127.0.0.1%250A%2B > %2Bhardwareisa%253A%2Bsparc%250A%2B%2Bmacaddress_vnet0%253A > %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Binterfaces%253A > %2Blo0%252Clo0_1%252Clo0_2%252Clo0_3%252Cvnet0%252Cvnet0_1%252Cvnet0_2%252Cvnet0_3%250A > %2B%2Bipaddress_lo0_2%253A%2B127.0.0.1%250A%2B%2Bpath%253A%2B%252Fusr > %252Fsbin%253A%252Fusr%252Fbin%253A%252Fusr%252Fccs%252Fbin%253A > %252Fopt%252FSUNWldm%252Fbin%253A%252Fopt%252Fsmuser%252Fwebagent > %252Fbin%253A%252Fsbin%250A%2B%2Bnetwork_lo0_1%253A%2B127.0.0.0%250A%2B > %2Bnetmask_vnet0_1%253A%2B255.255.255.0%250A%2B%2Bkernelversion%253A > %2BGeneric_141414-07%250A%2B%2Bipaddress_lo0%253A%2B127.0.0.1%250A%2B > %2Benvironment%253A%2Bprod%250A%2B%2B%253F%2B%2521ruby%252Fsym > %2B_timestamp%250A%2B%2B%253A%2BTue%2BOct > %2B20%2B13%253A44%253A29%2B-0600%2B2009%250A%250A%2B > %2Bnetmask_vnet0_2%253A%2B255.255.255.0%250A%2B%2Bpuppetversion%253A > %2B0.25.0%250A%2B%2Buptime%253A%2B8%2Bday%250A%2B%2Bnetwork_lo0_2%253A > %2B127.0.0.0%250A%2B%2Bipaddress_lo0_3%253A%2B127.0.0.1%250A%2B > %2Bhostname%253A%2Bdhwsol105prod1%250A%2B%2Boperatingsystem%253A > %2BSolaris%250A%2B%2Bipaddress_vnet0_1%253A%2B10.10.1.52%250A%2B > %2Bfacterversion%253A%2B1.5.7%250A%2B%2Bmacaddress%253A > %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Bnetmask_vnet0_3%253A > %2B255.255.255.0%250A%2B%2Bnetwork_lo0_3%253A%2B127.0.0.0%250A%2B > %2Bsshrsakey%253A > %2BAAAAB3NzaC1yc2EAAAABIwAAAIEAxKVNsY3Tk78LgNboqdrTr9omRW7%252BTjD7PvyaD37NDW > %252FQiaWHOxIjgQ257gO765AaekFmP%252FlI9IWA8ss2feEVOYhwms0JrOln > %252BZzixI6NiUnEkW00DLR75NH5bIMmNsKDsxbwDGQuJkD2jav8WIgfMG > %252BO9RYQxNNZOMu5rUDsimc%253D%250A%2B%2Bkernelmajversion%253A > %2BGeneric_141414-07%250A%2B%2Bnetwork_vnet0_1%253A%2B10.10.1.0%250A%2B > %2Bipaddress_vnet0_2%253A%2B10.10.1.53%250A%2B%2Brubyversion%253A > %2B1.8.7%250A%2B%2Bsshdsakey%253A > %2BAAAAB3NzaC1kc3MAAACBAK0sGCS6m349DPJ0ENTNBnRlrJuF9wzBqv6v91%252BYUyiTCug54DG38LhXsB5a8wzP7vFDHm91w8H6X8lHSjZAkAZj0CXuoy > %252BKMypouxa4aPSIq79DHDM%252FEKUk4uoLoD1SfK9CUq%252FRpy1tJiXvp%252BHA > %252B5upqd4GzJUlxyQ5XoDw81u5AAAAFQDAzYUpzs%252FGN9T9sXSgdscaw%252B > %252BoRQAAAIBIjPBFixi6vEaQmRBXE1wGI7vYQ1vSD%252FY8kjPTiH1JV > %252BiX4ba80qBAN4ZfOi0aItt6dil6naY%252BoagfQkETMp58dSd > %252BqkwyfDtJfT6LigLJ9cA6trMEHvjDJP5nAykUWcFBiviOtvLioWJgCDzSKqsQs816imAgvEu3%252Bspub6A6iQAAAIBknje4ZSbAlB > %252Bn9evhpdwYFHMq7biResm9m6SZvpOoHzgAu6qZPer91qrGvVERFNi20%252F8SgLr6%252FOlddfyr > %252BfHxu7%252FesYuh > %252BuKpVq9T5jhNi3cIwgTkkeAszP1MJnX32moRJ211F6oWlKW6S8tjfD1VGU5In8WzZ2s2xdM86I5e4w > %253D%253D%250A%2B%2Bnetmask_vnet0%253A%2B255.255.255.0%250A HTTP/1.1" > 400 38 > > > *** config.ru file *** > # a config.ru, for use with every rack-compatible webserver. > # SSL needs to be handled outside this, though. > > # if puppet is not in your RUBYLIB: > # $:.unshift(''/opt/dhw/lib'') > > $0 = "puppetmasterd" > require ''puppet'' > > # if you want debugging: > ARGV << "--debug" > > # Add configuration directory as argument > ARGV << "--confdir=/etc/opt/dhw/puppetmd" > > ARGV << "--rack" > require ''puppet/application/puppetmasterd'' > # we''re usually running inside a Rack::Builder.new {} block, > # therefore we need to call run *here*. > run Puppet::Application[:puppetmasterd].run > > > *** puppet.conf *** > [main] > # Set the environments available to puppet > environments = trng,prod,qual,intg,dev,qualf > > # Set to sync custom facts to the clients > pluginsync = true > > > [puppetmasterd] > # Added for support with Apache and passenger > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > > # User and group to start puppetmasterd as > user = puppetmd > group = puppetmd > > # The port to run the puppet master on > masterport = 8140 > > # Where SSL certificates are kept. > # The default value is ''$confdir/ssl''. > ssldir = $confdir/ssl > > # Single global manifest directory > manifest = $confdir/manifests/site.pp > > # The location of the configuration for the fileserver > fsconfig = $confdir/fileserver.conf > > # Where Puppet stores dynamic and growing data. > # The default value is ''/var/puppet''. > vardir = /var/opt/dhw/puppetmd > > # Set factpath so facter can load custom facts from the server > # factpath = $vardir/lib/facter > > > [prod] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/prod/modules > > > [trng] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/trng/modules > > > [qual] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/qual/modules > > > [intg] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/intg/modules > > > [dev] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/dev/modules > > > [qualf] > # The module paths to check > modulepath = /etc/opt/dhw/puppetmd/qualf/modules > > > *** ssl.conf *** > SSLRandomSeed startup builtin > SSLRandomSeed connect builtin > #SSLRandomSeed startup file:/dev/random 512 > #SSLRandomSeed startup file:/dev/urandom 512 > #SSLRandomSeed connect file:/dev/random 512 > #SSLRandomSeed connect file:/dev/urandom 512 > > #<IfDefine SSL> > > # > # When we also provide SSL we have to listen to the > # standard HTTP port (see above) and to the HTTPS port > # > # Note: Configurations that use IPv6 but not IPv4-mapped addresses > need two > # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" > # > #Listen 443 > Listen 8140 > > ## > ## SSL Global Context > ## > ## All SSL configuration in this context applies both to > ## the main server and all SSL-enabled virtual hosts. > ## > > # > # Some MIME-types for downloading Certificates and CRLs > # > AddType application/x-x509-ca-cert .crt > AddType application/x-pkcs7-crl .crl > > # Pass Phrase Dialog: > # Configure the pass phrase gathering process. > # The filtering dialog program (`builtin'' is a internal > # terminal dialog) has to provide the pass phrase on stdout. > SSLPassPhraseDialog builtin > > # Inter-Process Session Cache: > # Configure the SSL Session Cache: First the mechanism > # to use and second the expiring timeout (in seconds). > #SSLSessionCache none > #SSLSessionCache shmht:/opt/apache/logs/ssl_scache(512000) > #SSLSessionCache shmcb:/opt/apache/logs/ssl_scache(512000) > SSLSessionCache dbm:/opt/apache/logs/ssl_scache > SSLSessionCacheTimeout 300 > > # Semaphore: > # Configure the path to the mutual exclusion semaphore the > # SSL engine uses internally for inter-process synchronization. > SSLMutex file:/opt/apache/logs/ssl_mutex > > > # Required Passenger settings > LoadModule passenger_module /etc/opt/dhw/puppetmd/lib/passenger-2.2.5/ > ext/apache2/mod_passenger.so > PassengerRoot /etc/opt/dhw/puppetmd/lib/passenger-2.2.5 > PassengerRuby /opt/dhw/bin/ruby > > # you probably want to tune these settings > PassengerHighPerformance on > PassengerMaxPoolSize 12 > PassengerPoolIdleTime 1500 > # PassengerMaxRequests 1000 > PassengerStatThrottleRate 120 > RackAutoDetect Off > RailsAutoDetect Off > > ## > ## SSL Virtual Host Context > ## > > #<VirtualHost _default_:443> > > <VirtualHost dhwsol105prod1z3.dhw.state.id.us:8140> > ServerAdmin root@dhwsol105prod1z3 > > SSLProtocol -ALL +SSLv3 +TLSv1 > SSLOptions +StdEnvVars > > # General setup for the virtual host > #DocumentRoot "/opt/apache/htdocs" > DocumentRoot /etc/opt/dhw/puppetmd/rack/puppetmasterd/public > > RackBaseURI / > > <Directory /etc/opt/dhw/puppetmd/rack/puppetmasterd/> > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > > ErrorLog /opt/apache/logs/error_log > TransferLog /opt/apache/logs/access_log > > # SSL Engine Switch: > # Enable/Disable SSL for this virtual host. > SSLEngine on > > # SSL Cipher Suite: > # List the ciphers that the client is permitted to negotiate. > # See the mod_ssl documentation for a complete list. > #SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW: > +SSLv2:+EXP:+eNULL > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > > # Server Certificate: > # Point SSLCertificateFile at a PEM encoded certificate. If > # the certificate is encrypted, then you will be prompted for a > # pass phrase. Note that a kill -HUP will prompt again. Keep > # in mind that if you have both an RSA and a DSA certificate you > # can configure both in parallel (to also allow the use of DSA > # ciphers, etc.) > #SSLCertificateFile /opt/apache/conf/ssl.crt/server.crt > #SSLCertificateFile /opt/apache/conf/ssl.crt/server-dsa.crt > SSLCertificateFile /etc/opt/dhw/puppetmd/ssl/certs/ > dhwsol105prod1z3.dhw.state.id.us.pem > > # Server Private Key: > # If the key is not combined with the certificate, use this > # directive to point at the key file. Keep in mind that if > # you''ve both a RSA and a DSA private key you can configure > # both in parallel (to also allow the use of DSA ciphers, etc.) > #SSLCertificateKeyFile /opt/apache/conf/ssl.key/server.key > #SSLCertificateKeyFile /opt/apache/conf/ssl.key/server-dsa.key > SSLCertificateKeyFile /etc/opt/dhw/puppetmd/ssl/private_keys/ > dhwsol105prod1z3.dhw.state.id.us.pem > > # Server Certificate Chain: > # Point SSLCertificateChainFile at a file containing the > # concatenation of PEM encoded CA certificates which form the > # certificate chain for the server certificate. Alternatively > # the referenced file can be the same as SSLCertificateFile > # when the CA certificates are directly appended to the server > # certificate for convinience. > #SSLCertificateChainFile /opt/apache/conf/ssl.crt/ca.crt > SSLCertificateChainFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crt.pem > > # Certificate Authority (CA): > # Set the CA certificate verification path where to find CA > # certificates for client authentication or alternatively one > # huge file containing all of them (file must be PEM encoded) > # Note: Inside SSLCACertificatePath you need hash symlinks > # to point to the certificate files. Use the provided > # Makefile to update the hash symlinks after changes. > #SSLCACertificatePath /opt/apache/conf/ssl.crt > #SSLCACertificateFile /opt/apache/conf/ssl.crt/ca-bundle.crt > SSLCACertificateFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crt.pem > > # Certificate Revocation Lists (CRL): > # Set the CA revocation path where to find CA CRLs for client > # authentication or alternatively one huge file containing all > # of them (file must be PEM encoded) > # Note: Inside SSLCARevocationPath you need hash symlinks > # to point to the certificate files. Use the provided > # Makefile to update the hash symlinks after changes. > #SSLCARevocationPath /opt/apache/conf/ssl.crl > #SSLCARevocationFile /opt/apache/conf/ssl.crl/ca-bundle.crl > # If Apache complains about invalid signatures on CRL, you can try > disabling > # CRL checking by commenting the next line, but this is not > recommended. > SSLCARevocationFile /etc/opt/dhw/puppetmd/ssl/ca/ca_crl.pem > > # Client Authentication (Type): > # Client certificate verification type and depth. Types are > # none, optional, require and optional_no_ca. Depth is a > # number which specifies how deeply to verify the certificate > # issuer chain before deciding the certificate is not valid. > #SSLVerifyClient require > #SSLVerifyDepth 10 > SSLVerifyClient optional > SSLVerifyDepth 1 > > # Access Control: > # With SSLRequire you can do per-directory access control based > # on arbitrary complex boolean expressions containing server > # variable checks and other lookup directives. The syntax is a > # mixture between C and Perl. See the mod_ssl documentation > # for more details. > #<Location /> > #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ > # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ > # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ > # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ > # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ > # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ > #</Location> > > # SSL Engine Options: > # Set various options for the SSL engine. > # o FakeBasicAuth: > # Translate the client X.509 into a Basic Authorisation. This > means that > # the standard Auth/DBMAuth methods can be used for access > control. The > # user name is the `one line'' version of the client''s X.509 > certificate. > # Note that no password is obtained from the user. Every entry in > the user > # file needs this password: `xxj31ZMTZzkVA''. > # o ExportCertData: > # This exports two additional environment variables: > SSL_CLIENT_CERT and > # SSL_SERVER_CERT. These contain the PEM-encoded certificates of > the > # server (always existing) and the client (only existing when > client > # authentication is used). This can be used to import the > certificates > # into CGI scripts. > # o StdEnvVars: > # This exports the standard SSL/TLS related `SSL_*'' environment > variables. > # Per default this exportation is switched off for performance > reasons, > # because the extraction step is an expensive operation and is > usually > # useless for serving static content. So one usually enables the > # exportation for CGI and SSI requests only. > # o CompatEnvVars: > # This exports obsolete environment variables for backward > compatibility > # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. > Use this > # to provide compatibility to existing CGI scripts. > # o StrictRequire: > # This denies access when "SSLRequireSSL" or "SSLRequire" applied > even > # under a "Satisfy any" situation, i.e. when it applies access is > denied > # and no other module can change it. > # o OptRenegotiate: > # This enables optimized SSL connection renegotiation handling > when SSL > # directives are used in per-directory context. > #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars > +StrictRequire > <FilesMatch "\.(cgi|shtml|phtml|php3?)$"> > SSLOptions +StdEnvVars > </FilesMatch> > <Directory "/opt/apache/cgi-bin"> > SSLOptions +StdEnvVars > </Directory> > > # SSL Protocol Adjustments: > # The safe and default but still SSL/TLS standard compliant shutdown > # approach is that mod_ssl sends the close notify alert but doesn''t > wait for > # the close notify alert from client. When you need a different > shutdown > # approach you can use one of the following variables: > # o ssl-unclean-shutdown: > # This forces an unclean shutdown when the connection is closed, > i.e. no > # SSL close notify alert is send or allowed to received. This > violates > # the SSL/TLS standard but is needed for some brain-dead browsers. > Use > # this when you receive I/O errors because of the standard > approach where > # mod_ssl sends the close notify alert. > # o ssl-accurate-shutdown: > # This forces an accurate shutdown when the connection is closed, > i.e. a > # SSL close notify alert is send and mod_ssl waits for the close > notify > # alert of the client. This is 100% SSL/TLS standard compliant, > but in > # practice often causes hanging connections with brain-dead > browsers. Use > # this only for browsers where you know that their SSL > implementation > # works correctly. > # Notice: Most problems of broken clients are also related to the > HTTP > # keep-alive facility, so you usually additionally want to disable > # keep-alive for those clients, too. Use variable "nokeepalive" for > this. > # Similarly, one has to force some clients to use HTTP/1.0 to > workaround > # their broken HTTP/1.1 implementation. Use variables > "downgrade-1.0" and > # "force-response-1.0" for this. > SetEnvIf User-Agent ".*MSIE.*" \ > nokeepalive ssl-unclean-shutdown \ > downgrade-1.0 force-response-1.0 > > # Per-Server Logging: > # The home of a custom SSL log file. Use this when you want a > # compact non-error SSL logfile on a virtual host basis. > CustomLog /opt/apache/logs/ssl_request_log \ > "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > </VirtualHost> > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
I have tried 2.2.2, but couldn''t get it to compile successfully. It looked like there were some code changes that I could make to the 2.2.2 source to get it working, but applying a single fix (for the solaris related bug) to 2.2.5 seemed like it was the better route to go. I also tried 2.2.4 and found that it doesn''t work either (I get the same error message). Thanks! Soren On Oct 20, 2:35 pm, Matt <mattmora...@gmail.com> wrote:> Have you tried with passenger 2.2.2? > > 2009/10/20 nothings_absolute <soren.mor...@gmail.com>: > > > > > > > 1st off sorry this is so long... I didn''t see any way to attach files > > when creating the discussion. > > > I am trying to get my puppetmaster (0.25.0) working with passenger > > (2.2.5) on Solaris (It works fine using webrick). At this point I > > think it "should" work, but get a 400 error (Located below) when > > running puppetd on the client. > > > The server doesn''t have anything in the error log indicating a > > problem, but the access log shows the server returning a 400 error. > > Any ideas about what the problem could be or how to enable additional > > logging on the server side (I tried uncommenting << "--debug" in my > > config.ru, but don''t get anything additional). > > > I have also included my config.ru, puppet.conf, and ssl.conf below the > > errors. Note: The install paths are bit odd, but I am trying to do > > this so that I can share a main "opt" puppet package with all zones > > and then have a puppetmd package that uses the same install as puppet > > itself. > > > *** client error output *** > > bash-3.00# /opt/dhw/sbin/puppetd --server > > dhwsol105prod1z3.dhw.state.id.us --test --debug --environment=prod > > debug: Failed to load library ''shadow'' for feature ''libshadow'' > > debug: Puppet::Type::User::ProviderPw: file pw does not exist > > debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ > > dscl does not exist > > debug: Failed to load library ''ldap'' for feature ''ldap'' > > debug: Puppet::Type::User::ProviderLdap: feature ldap is missing > > debug: /File[/etc/puppet/ssl/crl.pem]: Autorequiring File[/etc/puppet/ > > ssl] > > debug: /File[/etc/puppet/ssl/certs/ > > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > > ssl/certs] > > debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ > > ssl] > > debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ > > ssl] > > debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet] > > debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] > > debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] > > debug: /File[/etc/puppet/ssl/private_keys/ > > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > > ssl/private_keys] > > debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/ > > puppet/state] > > debug: /File[/etc/puppet/ssl/public_keys/ > > dhwsol105prod1.dhw.state.id.us.pem]: Autorequiring File[/etc/puppet/ > > ssl/public_keys] > > debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File > > [/etc/puppet/ssl] > > debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] > > debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] > > debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet] > > debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/ > > state] > > debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/ > > puppet/state] > > debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] > > debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ > > puppet/ssl] > > debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/ > > puppet] > > debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ > > puppet/ssl/certs] > > debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ > > puppet/ssl] > > debug: Finishing transaction 9414216 with 0 changes > > debug: Using cached certificate for ca > > debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us > > debug: Loaded state in 0.03 seconds > > debug: Using cached certificate for ca > > debug: Using cached certificate for dhwsol105prod1.dhw.state.id.us > > debug: Using cached certificate_revocation_list for ca > > debug: Puppet::Network::Format[json]: false value when expecting true > > debug: Format s not supported for Puppet::Resource::Catalog; has not > > implemented method ''from_s'' > > err: Could not retrieve catalog from remote server: Error 400 on > > SERVER: Bad Request > > warning: Not using cache on failed catalog > > err: Could not retrieve catalog; skipping run > > > *** Server error output *** > > 10.10.1.51 - - [20/Oct/2009:13:44:30 -0600] "GET /prod/catalog/ > > dhwsol105prod1.dhw.state.id.us?facts_format=yaml&facts=---%2B%2521ruby > > %252Fobject%253APuppet%253A%253ANode%253A%253AFacts%2B%250Aexpiration > > %253A%2B2009-10-20%2B14%253A14%253A29.927609%2B-06%253A00%250Aname%253A > > %2Bdhwsol105prod1.dhw.state.id.us%250Avalues%253A%2B%250A%2B%2Bkernel > > %253A%2BSunOS%250A%2B%2Bipaddress_vnet0_3%253A%2B10.10.1.57%250A%2B > > %2Bnetwork_vnet0_2%253A%2B10.10.1.0%250A%2B%2Bnetmask%253A > > %2B255.255.255.0%250A%2B%2Bnetmask_lo0%253A%2B255.0.0.0%250A%2B > > %2Buniqueid%253A%2B84f9e03a%250A%2B%2Bfqdn%253A > > %2Bdhwsol105prod1.dhw.state.id.us%250A%2B%2Bnetwork_vnet0_3%253A > > %2B10.10.1.0%250A%2B%2Boperatingsystemrelease%253A%2B > > %25225.10%2522%250A%2B%2Bclientversion%253A%2B0.25.0%250A%2B > > %2Bipaddress%253A%2B10.10.1.51%250A%2B%2Bvirtual%253A%2Bphysical%250A > > %2B%2Bnetmask_lo0_1%253A%2B255.0.0.0%250A%2B%2Bis_virtual%253A%2B > > %2522false%2522%250A%2B%2Bps%253A%2Bps%2B-ef%250A%2B > > %2Bipaddress_vnet0%253A%2B10.10.1.51%250A%2B%2Brubysitedir%253A%2B > > %252Fopt%252Fdhw%252Flib%252Fruby%252Fsite_ruby%252F1.8%250A%2B > > %2Bnetmask_lo0_2%253A%2B255.0.0.0%250A%2B%2Bhardwaremodel%253A%2Bsun4v > > %250A%2B%2Bkernelrelease%253A%2B%25225.10%2522%250A%2B > > %2Bnetwork_vnet0%253A%2B10.10.1.0%250A%2B%2Bnetmask_lo0_3%253A > > %2B255.0.0.0%250A%2B%2Bdomain%253A%2Bdhw.state.id.us%250A%2B%2Btimezone > > %253A%2BMDT%250A%2B%2Bid%253A%2Broot%250A%2B%2Bnetwork_lo0%253A > > %2B127.0.0.0%250A%2B%2Bipaddress_lo0_1%253A%2B127.0.0.1%250A%2B > > %2Bhardwareisa%253A%2Bsparc%250A%2B%2Bmacaddress_vnet0%253A > > %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Binterfaces%253A > > %2Blo0%252Clo0_1%252Clo0_2%252Clo0_3%252Cvnet0%252Cvnet0_1%252Cvnet0_2%252Cvnet0_3%250A > > %2B%2Bipaddress_lo0_2%253A%2B127.0.0.1%250A%2B%2Bpath%253A%2B%252Fusr > > %252Fsbin%253A%252Fusr%252Fbin%253A%252Fusr%252Fccs%252Fbin%253A > > %252Fopt%252FSUNWldm%252Fbin%253A%252Fopt%252Fsmuser%252Fwebagent > > %252Fbin%253A%252Fsbin%250A%2B%2Bnetwork_lo0_1%253A%2B127.0.0.0%250A%2B > > %2Bnetmask_vnet0_1%253A%2B255.255.255.0%250A%2B%2Bkernelversion%253A > > %2BGeneric_141414-07%250A%2B%2Bipaddress_lo0%253A%2B127.0.0.1%250A%2B > > %2Benvironment%253A%2Bprod%250A%2B%2B%253F%2B%2521ruby%252Fsym > > %2B_timestamp%250A%2B%2B%253A%2BTue%2BOct > > %2B20%2B13%253A44%253A29%2B-0600%2B2009%250A%250A%2B > > %2Bnetmask_vnet0_2%253A%2B255.255.255.0%250A%2B%2Bpuppetversion%253A > > %2B0.25.0%250A%2B%2Buptime%253A%2B8%2Bday%250A%2B%2Bnetwork_lo0_2%253A > > %2B127.0.0.0%250A%2B%2Bipaddress_lo0_3%253A%2B127.0.0.1%250A%2B > > %2Bhostname%253A%2Bdhwsol105prod1%250A%2B%2Boperatingsystem%253A > > %2BSolaris%250A%2B%2Bipaddress_vnet0_1%253A%2B10.10.1.52%250A%2B > > %2Bfacterversion%253A%2B1.5.7%250A%2B%2Bmacaddress%253A > > %2B0%253A14%253A4f%253Afb%253Ad9%253Acc%250A%2B%2Bnetmask_vnet0_3%253A > > %2B255.255.255.0%250A%2B%2Bnetwork_lo0_3%253A%2B127.0.0.0%250A%2B > > %2Bsshrsakey%253A > > %2BAAAAB3NzaC1yc2EAAAABIwAAAIEAxKVNsY3Tk78LgNboqdrTr9omRW7%252BTjD7PvyaD37NDW > > %252FQiaWHOxIjgQ257gO765AaekFmP%252FlI9IWA8ss2feEVOYhwms0JrOln > > %252BZzixI6NiUnEkW00DLR75NH5bIMmNsKDsxbwDGQuJkD2jav8WIgfMG > > %252BO9RYQxNNZOMu5rUDsimc%253D%250A%2B%2Bkernelmajversion%253A > > %2BGeneric_141414-07%250A%2B%2Bnetwork_vnet0_1%253A%2B10.10.1.0%250A%2B > > %2Bipaddress_vnet0_2%253A%2B10.10.1.53%250A%2B%2Brubyversion%253A > > %2B1.8.7%250A%2B%2Bsshdsakey%253A > > %2BAAAAB3NzaC1kc3MAAACBAK0sGCS6m349DPJ0ENTNBnRlrJuF9wzBqv6v91%252BYUyiTCug54DG38LhXsB5a8wzP7vFDHm91w8H6X8lHSjZAkAZj0CXuoy > > %252BKMypouxa4aPSIq79DHDM%252FEKUk4uoLoD1SfK9CUq%252FRpy1tJiXvp%252BHA > > %252B5upqd4GzJUlxyQ5XoDw81u5AAAAFQDAzYUpzs%252FGN9T9sXSgdscaw%252B > > %252BoRQAAAIBIjPBFixi6vEaQmRBXE1wGI7vYQ1vSD%252FY8kjPTiH1JV > > %252BiX4ba80qBAN4ZfOi0aItt6dil6naY%252BoagfQkETMp58dSd > > %252BqkwyfDtJfT6LigLJ9cA6trMEHvjDJP5nAykUWcFBiviOtvLioWJgCDzSKqsQs816imAgvEu3%252Bspub6A6iQAAAIBknje4ZSbAlB > > %252Bn9evhpdwYFHMq7biResm9m6SZvpOoHzgAu6qZPer91qrGvVERFNi20%252F8SgLr6%252FOlddfyr > > %252BfHxu7%252FesYuh > > %252BuKpVq9T5jhNi3cIwgTkkeAszP1MJnX32moRJ211F6oWlKW6S8tjfD1VGU5In8WzZ2s2xdM86I5e4w > > %253D%253D%250A%2B%2Bnetmask_vnet0%253A%2B255.255.255.0%250A HTTP/1.1" > > 400 38 > > > *** config.ru file *** > > # a config.ru, for use with every rack-compatible webserver. > > # SSL needs to be handled outside this, though. > > > # if puppet is not in your RUBYLIB: > > # $:.unshift(''/opt/dhw/lib'') > > > $0 = "puppetmasterd" > > require ''puppet'' > > > # if you want debugging: > > ARGV << "--debug" > > > # Add configuration directory as argument > > ARGV << "--confdir=/etc/opt/dhw/puppetmd" > > > ARGV << "--rack" > > require ''puppet/application/puppetmasterd'' > > # we''re usually running inside a Rack::Builder.new {} block, > > # therefore we need to call run *here*. > > run Puppet::Application[:puppetmasterd].run > > > *** puppet.conf *** > > [main] > > # Set the environments available to puppet > > environments = trng,prod,qual,intg,dev,qualf > > > # Set to sync custom facts to the clients > > pluginsync = true > > > [puppetmasterd] > > # Added for support with Apache and passenger > > ssl_client_header = SSL_CLIENT_S_DN > > ssl_client_verify_header = SSL_CLIENT_VERIFY > > > # User and group to start puppetmasterd as > > user = puppetmd > > group = puppetmd > > > # The port to run the puppet master on > > masterport = 8140 > > > # Where SSL certificates are kept. > > # The default value is ''$confdir/ssl''. > > ssldir = $confdir/ssl > > > # Single global manifest directory > > manifest = $confdir/manifests/site.pp > > > # The location of the configuration for the fileserver > > fsconfig = $confdir/fileserver.conf > > > # Where Puppet stores dynamic and growing data. > > # The default value is ''/var/puppet''. > > vardir = /var/opt/dhw/puppetmd > > ... > > read more »- Hide quoted text - > > - Show quoted text ---~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---