Puppet users - Feb 2010 - error on puppet 25.4 with passenger 2.2.2

Hi all,

I''ve just installed a puppet version 25.4 (I was using before version
24.5 without any trouble)
when I test the installation using webrick, it''s working fine. A
client can connect to the master and do whatever it have to do.
When I switch to passenger, I have the following message:

err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: wn1002.sdfarm.kr(134.75.123.102) access to /
catalog/wn1002.sdfarm.kr [find] at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

so I have obviously an authorization problem, but i cannot find the
solution to this problem...

I had a look on google but this kind of problems seems to happen
usually with certificates problems which should not be the case here
since every thing is working fine without passenger...

Does anyone have a suggestion?

Thanks,

Bonnaud Christophe.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Feb 8, 3:18 am, Christophe Bonnaud <takyo...@hotmail.com>
wrote:
> so I have obviously an authorization problem, but i cannot find the
> solution to this problem...
>
> Does anyone have a suggestion?

I''ve seen the same thing with my setup...the solution for me was to
put the "RequestHeader" lines found on the Puppet Passenger wiki page
(http://www.reductivelabs.com/trac/puppet/wiki/UsingPassenger) into my
Apache virtual host config:

	RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
	RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
	RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

...not sure why that section isn''t included in the provided template
(./ext/rack/files/apache2.conf) from the puppet sources (I''m using
v0.25.4), but adding them fixed things up for me. Note that I also
don''t have an auth.conf file, and even if I add one and take these
lines out, I''m back to getting the "err: Could not retrieve
catalog
from remote server: Error 403 on SERVER:" message. Hope that helps!

--
Aaron "ElasticDog" Schaefer

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Feb 9, 6:20 am, Aaron Schaefer <aaronschae...@gmail.com>
wrote:
> On Feb 8, 3:18 am, Christophe Bonnaud <takyo...@hotmail.com> wrote:
>
> > so I have obviously an authorization problem, but i cannot find the
> > solution to this problem...
>
> > Does anyone have a suggestion?
>
> I''ve seen the same thing with my setup...the solution for me was
to
> put the "RequestHeader" lines found on the Puppet Passenger wiki
page
> (http://www.reductivelabs.com/trac/puppet/wiki/UsingPassenger) into my
> Apache virtual host config:
>
>         RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>         RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>         RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> ...not sure why that section isn''t included in the provided
template
> (./ext/rack/files/apache2.conf) from the puppet sources (I''m using
> v0.25.4), but adding them fixed things up for me. Note that I also
> don''t have an auth.conf file, and even if I add one and take these
> lines out, I''m back to getting the "err: Could not retrieve
catalog
> from remote server: Error 403 on SERVER:" message. Hope that helps!
Indeed this was the solution... thanks so much for your help!!
I''m agree it''s strange that those lines are not in the
provided
template...
Anyone know why?
>
> --
> Aaron "ElasticDog" Schaefer
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Feb 8, 2010, at 4:20 PM, Christophe Bonnaud wrote:
>> I''ve seen the same thing with my setup...the solution for me
was to
>> put the "RequestHeader" lines found on the Puppet Passenger
wiki page
>> (http://www.reductivelabs.com/trac/puppet/wiki/UsingPassenger) into my
>> Apache virtual host config:
>> 
>>         RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>>         RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>>         RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>> 
>> ...not sure why that section isn''t included in the provided
template
>> (./ext/rack/files/apache2.conf) from the puppet sources (I''m
using
>> v0.25.4), but adding them fixed things up for me. Note that I also
>> don''t have an auth.conf file, and even if I add one and take
these
>> lines out, I''m back to getting the "err: Could not
retrieve catalog
>> from remote server: Error 403 on SERVER:" message. Hope that
helps!
> 
> Indeed this was the solution... thanks so much for your help!!
> I''m agree it''s strange that those lines are not in the
provided
> template...
> Anyone know why?

The documented suggestion -- though I agree it''s not on the wiki page;
once we resolve this question here I''d be happy to update
UsingPassenger this as I''ve just gone through it myself -- is to go at
it from the other direction. Instead of changing apache to match
puppet''s defaults, you tell puppet the names of the apache variables:

(from ext/rack/README)
Required puppet.conf settings:
  [puppetmasterd]
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY


Then the required httpd.conf line is just
  SSLOptions +StdEnvVars

which *is* in the config file in the distribution.  

I''m not enough of an expert to know whether one is preferable to the
other, though.


-=Eric

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Feb 9, 9:50 am, Eric Sorenson <ahp...@gmail.com>
wrote:
> On Feb 8, 2010, at 4:20 PM, Christophe Bonnaud wrote:
>
>
>
>
>
> >> I''ve seen the same thing with my setup...the solution for
me was to
> >> put the "RequestHeader" lines found on the Puppet
Passenger wiki page
> >> (http://www.reductivelabs.com/trac/puppet/wiki/UsingPassenger)
into my
> >> Apache virtual host config:
>
> >>         RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
> >>         RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
> >>         RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> >> ...not sure why that section isn''t included in the
provided template
> >> (./ext/rack/files/apache2.conf) from the puppet sources
(I''m using
> >> v0.25.4), but adding them fixed things up for me. Note that I also
> >> don''t have an auth.conf file, and even if I add one and
take these
> >> lines out, I''m back to getting the "err: Could not
retrieve catalog
> >> from remote server: Error 403 on SERVER:" message. Hope that
helps!
>
> > Indeed this was the solution... thanks so much for your help!!
> > I''m agree it''s strange that those lines are not in
the provided
> > template...
> > Anyone know why?
>
> The documented suggestion -- though I agree it''s not on the wiki
page; once we resolve this question here I''d be happy to update
UsingPassenger this as I''ve just gone through it myself -- is to go at
it from the other direction. Instead of changing apache to match
puppet''s defaults, you tell puppet the names of the apache variables:
>
> (from ext/rack/README)
> Required puppet.conf settings:
>   [puppetmasterd]
>     ssl_client_header = SSL_CLIENT_S_DN
>     ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> Then the required httpd.conf line is just
>   SSLOptions +StdEnvVars
>
> which *is* in the config file in the distribution.  
>
> I''m not enough of an expert to know whether one is preferable to
the other, though.  
>
> -=Eric

hum yes indeed it works fine in that way too. I though I already tried
that because I saw that in the documentation but I may have done
something else wrong at this moment...
Thanks Eric!

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Aha!  Fixes my problem too.  I knew if I procrastinated enough someone
would find an answer.  :-)

On Tue, Feb 9, 2010 at 2:54 AM, Christophe Bonnaud <takyon77@hotmail.com>
wrote:
> On Feb 9, 9:50 am, Eric Sorenson <ahp...@gmail.com> wrote:
>> On Feb 8, 2010, at 4:20 PM, Christophe Bonnaud wrote:
>>
>>
>>
>>
>>
>> >> I''ve seen the same thing with my setup...the solution
for me was to
>> >> put the "RequestHeader" lines found on the Puppet
Passenger wiki page
>> >> (http://www.reductivelabs.com/trac/puppet/wiki/UsingPassenger)
into my
>> >> Apache virtual host config:
>>
>> >>         RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>> >>         RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>> >>         RequestHeader set X-Client-Verify
%{SSL_CLIENT_VERIFY}e
>>
>> >> ...not sure why that section isn''t included in the
provided template
>> >> (./ext/rack/files/apache2.conf) from the puppet sources
(I''m using
>> >> v0.25.4), but adding them fixed things up for me. Note that I
also
>> >> don''t have an auth.conf file, and even if I add one
and take these
>> >> lines out, I''m back to getting the "err: Could
not retrieve catalog
>> >> from remote server: Error 403 on SERVER:" message. Hope
that helps!
>>
>> > Indeed this was the solution... thanks so much for your help!!
>> > I''m agree it''s strange that those lines are not
in the provided
>> > template...
>> > Anyone know why?
>>
>> The documented suggestion -- though I agree it''s not on the
wiki page; once we resolve this question here I''d be happy to update
UsingPassenger this as I''ve just gone through it myself -- is to go at
it from the other direction. Instead of changing apache to match
puppet''s defaults, you tell puppet the names of the apache variables:
>>
>> (from ext/rack/README)
>> Required puppet.conf settings:
>>   [puppetmasterd]
>>     ssl_client_header = SSL_CLIENT_S_DN
>>     ssl_client_verify_header = SSL_CLIENT_VERIFY
>>
>> Then the required httpd.conf line is just
>>   SSLOptions +StdEnvVars
>>
>> which *is* in the config file in the distribution.
>>
>> I''m not enough of an expert to know whether one is preferable
to the other, though.
>>
>> -=Eric
>
>
> hum yes indeed it works fine in that way too. I though I already tried
> that because I saw that in the documentation but I may have done
> something else wrong at this moment...
> Thanks Eric!
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.