Puppet users - Jun 2010 - Nginx/Mongrel Could not retrieve catalog from remote server: Error 403 on SERVER

It works well when I use webrick. The config of nginx is from puppet
wiki, some logs is below, what''s wrong?


puppet version:0.25.4
client:
...
...

debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/
var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/state/state.yaml]: Changing mode
debug: /File[/var/lib/puppet/state/state.yaml]: 1 change(s)
debug: /File[/var/lib/puppet/state/state.yaml]/mode: mode changed
''640'' to ''660''
debug: Finishing transaction -609821268 with 1 changes
debug: Using cached certificate for ca, good until Sat Jun 06 06:20:50
UTC 2015
debug: Using cached certificate for client, good until Sat Jun 06
07:57:22 UTC 2015
debug: Loaded state in 0.00 seconds
debug: Using cached certificate for ca, good until Sat Jun 06 06:20:50
UTC 2015
debug: Using cached certificate for client, good until Sat Jun 06
07:57:22 UTC 2015
debug: Using cached certificate_revocation_list for ca, good until
debug: catalog supports formats: b64_zlib_yaml marshal pson raw yaml;
using pson
err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: client access to /catalog/client [find] at
line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

master:

...
...
debug: No modules mount given; autocreating with default permissions
debug: No path given for plugins mount; creating a special PluginMount
debug: Creating interpreter
debug: Finishing transaction -610695708 with 0 changes
debug: Finishing transaction -610697798 with 0 changes
info: Inserting default ''~ ^/catalog/([^/]+)$''(auth) acl
because /etc/
puppet/auth.conf doesn''t exist
info: Inserting default ''/file''(non-auth) acl because
/etc/puppet/
auth.conf doesn''t exist
info: Inserting default
''/certificate_revocation_list/ca''(auth) acl
because /etc/puppet/auth.conf doesn''t exist
info: Inserting default ''/report''(auth) acl because
/etc/puppet/
auth.conf doesn''t exist
info: Inserting default ''/certificate/ca''(non-auth) acl
because /etc/
puppet/auth.conf doesn''t exist
info: Inserting default ''/certificate/''(non-auth) acl because
/etc/
puppet/auth.conf doesn''t exist
info: Inserting default ''/certificate_request''(non-auth) acl
because /
etc/puppet/auth.conf doesn''t exist
info: access[/]: defaulting to no access for client
warning: Denying access: Forbidden request: client access to /catalog/
client[find] at line 0
/usr/lib/ruby/1.8/puppet/network/rights.rb:79:in `fail_on_deny''
/usr/lib/ruby/1.8/puppet/network/rest_authconfig.rb:36:in `allowed?''
/usr/lib/ruby/1.8/puppet/network/rest_authorization.rb:21:in
`check_authorization''
/usr/lib/ruby/1.8/puppet/network/http/handler.rb:66:in `process''
/usr/lib/ruby/1.8/mongrel.rb:159:in `process_client''
/usr/lib/ruby/1.8/mongrel.rb:158:in `each''
/usr/lib/ruby/1.8/mongrel.rb:158:in `process_client''
/usr/lib/ruby/1.8/mongrel.rb:285:in `run''
/usr/lib/ruby/1.8/mongrel.rb:285:in `initialize''
/usr/lib/ruby/1.8/mongrel.rb:285:in `new''
/usr/lib/ruby/1.8/mongrel.rb:285:in `run''
/usr/lib/ruby/1.8/mongrel.rb:268:in `initialize''
/usr/lib/ruby/1.8/mongrel.rb:268:in `new''
/usr/lib/ruby/1.8/mongrel.rb:268:in `run''
/usr/lib/ruby/1.8/puppet/network/http/mongrel.rb:22:in `listen''
/usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen''
/usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start''
/usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start''
/usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:122:in `main''
/usr/lib/ruby/1.8/puppet/application.rb:226:in `send''
/usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command''
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
/usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail''
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run''
/usr/sbin/puppetmasterd:66
err: Forbidden request: client access to /catalog/client [find] at
line 0

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 8 June 2010 10:06, Jomo <zhanght@gmail.com> wrote:
> It works well when I use webrick. The config of nginx is from puppet
> wiki, some logs is below, what''s wrong?
>
I suspect that it relates to the use of HTTP headers and Puppet not knowing
who the client is from it''s certificate.

The wiki documentation assumes that you''re launching puppetmasterd with
the
argument `--ssl_client_header=HTTP_X_SSL_SUBJECT`. It does so in order to
maintain configuration compatibility with Pound. But personally, I
don''t use
Pound and prefer to keep Puppet as vanilla as possible. The following
(exclusive) `proxy_set_header` directives work fine under for me:

        proxy_set_header    Host                $host;
        proxy_set_header    X-Real-IP           $remote_addr;
        proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header    X-Client_DN         $ssl_client_s_dn;
        proxy_set_header    X-Client-Verify     $ssl_client_verify;

You don''t mention what version of Nginx you''re using.
They''ll need adjusting
suitably for <0.8.x

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

----- "Dan Carley" <dan.carley@gmail.com> a écrit :

| On 8 June 2010 10:06, Jomo < zhanght@gmail.com > wrote:
| 
| 
| It works well when I use webrick. The config of nginx is from puppet
| wiki, some logs is below, what''s wrong?
| 
| 
| 
| I suspect that it relates to the use of HTTP headers and Puppet not
| knowing who the client is from it''s certificate.
| 
| 
| The wiki documentation assumes that you''re launching puppetmasterd
| with the argument `--ssl_client_header=HTTP_X_SSL_SUBJECT`. It does so
| in order to maintain configuration compatibility with Pound. But
| personally, I don''t use Pound and prefer to keep Puppet as vanilla as
| possible. The following (exclusive) `proxy_set_header` directives work
| fine under for me:
| 
| 
| 
| proxy_set_header Host $host;
| proxy_set_header X-Real-IP $remote_addr;
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
| proxy_set_header X-Client_DN $ssl_client_s_dn;
| proxy_set_header X-Client-Verify $ssl_client_verify;
| 
| 
| You don''t mention what version of Nginx you''re using.
They''ll need
| adjusting suitably for <0.8.x

I also allow 127.0.0.1 in fileserver.conf (puppetmaster sees connection from
localhost, due to nginx proxying)

Nico.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

It works for me too, thank you.
It should be added to the wiki.

btw, my nginx is 0.8.29.

On 6月9日, 上午12时01分, Dan Carley <dan.car...@gmail.com>
wrote:
> On 8 June 2010 10:06, Jomo <zhan...@gmail.com> wrote:
>
> > It works well when I use webrick. The config of nginx is from puppet
> > wiki, some logs is below, what''s wrong?
>
> I suspect that it relates to the use of HTTP headers and Puppet not knowing
> who the client is from it''s certificate.
>
> The wiki documentation assumes that you''re launching puppetmasterd
with the
> argument `--ssl_client_header=HTTP_X_SSL_SUBJECT`. It does so in order to
> maintain configuration compatibility with Pound. But personally, I
don''t use
> Pound and prefer to keep Puppet as vanilla as possible. The following
> (exclusive) `proxy_set_header` directives work fine under for me:
>
>         proxy_set_header    Host                $host;
>         proxy_set_header    X-Real-IP           $remote_addr;
>         proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
>         proxy_set_header    X-Client_DN         $ssl_client_s_dn;
>         proxy_set_header    X-Client-Verify     $ssl_client_verify;
>
> You don''t mention what version of Nginx you''re using.
They''ll need adjusting
> suitably for <0.8.x
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

wiki is right, I forgot this:  ssl_client_header = HTTP_X_SSL_SUBJECT

On 6月9日, 上午10时21分, Jomo <zhan...@gmail.com> wrote:
> It works for me too, thank you.
> It should be added to the wiki.
>
> btw, my nginx is 0.8.29.
>
> On 6月9日, 上午12时01分, Dan Carley <dan.car...@gmail.com> wrote:
>
> > On 8 June 2010 10:06, Jomo <zhan...@gmail.com> wrote:
>
> > > It works well when I use webrick. The config of nginx is from
puppet
> > > wiki, some logs is below, what''s wrong?
>
> > I suspect that it relates to the use of HTTP headers and Puppet not
knowing
> > who the client is from it''s certificate.
>
> > The wiki documentation assumes that you''re launching
puppetmasterd with the
> > argument `--ssl_client_header=HTTP_X_SSL_SUBJECT`. It does so in order
to
> > maintain configuration compatibility with Pound. But personally, I
don''t use
> > Pound and prefer to keep Puppet as vanilla as possible. The following
> > (exclusive) `proxy_set_header` directives work fine under for me:
>
> >         proxy_set_header    Host                $host;
> >         proxy_set_header    X-Real-IP           $remote_addr;
> >         proxy_set_header    X-Forwarded-For    
$proxy_add_x_forwarded_for;
> >         proxy_set_header    X-Client_DN         $ssl_client_s_dn;
> >         proxy_set_header    X-Client-Verify     $ssl_client_verify;
>
> > You don''t mention what version of Nginx you''re
using. They''ll need adjusting
> > suitably for <0.8.x
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.