thr3ads.net - Puppet users - [Puppet Users] Forbidden request: access to /certificate_revocation

If this information is useful, please help other people find it:
Share via:

Christian

2010-Aug-11 17:28 UTC

[Puppet Users] Forbidden request: access to /certificate_revocation_list/ca failed

I have installed on the client and on the server puppet version
0.25.5.

The setup was successfully tested with Webrick server on the
puppetserver. Afterwards i switched to passenger (2.2.11) and rack
(1.0.1) on the server.

Puppetmaster starts successfully with an httpd start.

Making a certificate request works and signing on the server was also
no problem. However afterwards following message appears.

/usr/sbin/puppetd --server icms-srv.gal.cst.cnes.fr --waitforcert 60 --
test --debug --trace --verbose
debug: Puppet::Type::User::ProviderLdap: true value when expecting
false
debug: Puppet::Type::User::ProviderUser_role_add: file roledel does
not exist
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
dscl does not exist
debug: Failed to load library ''ldap'' for feature
''ldap''
debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/
puppet]
debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/
lib/puppet]
debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/
puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/
var/lib/puppet/ssl]
debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: /File[/var/lib/puppet/ssl/certs/HOSTNAME.pem]: Autorequiring
File[/var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/
lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/
puppet]
debug: /File[/var/lib/puppet/ssl/private_keys/HOSTNAME.pem]:
Autorequiring File[/var/lib/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/
lib/puppet/state]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/
puppet]
debug: /File[/var/lib/puppet/ssl/public_keys/HOSTNAME.pem]:
Autorequiring File[/var/lib/puppet/ssl/public_keys]
debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/
var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/
puppet/ssl]
debug: Finishing transaction -606761748 with 0 changes
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/
puppet]
debug: /File[/var/lib/puppet/ssl/private_keys/HOSTNAME.pem]:
Autorequiring File[/var/lib/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/
var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/
lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/certs/HOSTNAME.pem]: Autorequiring
File[/var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/ssl/public_keys/HOSTNAME.pem]:
Autorequiring File[/var/lib/puppet/ssl/public_keys]
debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/
puppet/ssl]
debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/
puppet/ssl]
debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/
var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/
puppet]
debug: Finishing transaction -607024878 with 0 changes
debug: Using cached certificate for ca
debug: Using cached certificate for HOSTNAME
debug: Finishing transaction -607157058 with 0 changes
debug: Using cached certificate for ca
debug: Using cached certificate for HOSTNAME
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:55:in
`deserialize''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:202:in
`find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:215:in `ssl_store''
/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in
`cert_setup''
/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:98:in
`http_instance''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in `network''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:202:in
`find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:208:in
`retrieve_new_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark''
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure''
/usr/lib/ruby/1.8/benchmark.rb:307:in `realtime''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:207:in
`retrieve_new_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:104:in
`retrieve_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:142:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
/usr/lib/ruby/1.8/sync.rb:229:in `synchronize''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in
`onetime''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
/usr/sbin/puppetd:160
err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: HOSTNAME(IP_ADDRESSE) access to /
certificate_revocation_list/ca [find] at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

It seems there are quite a lot of issues around those CA errors
already available. However the most were related to older puppet
versions and declared as fixed already.

Does somebody have an idea what is going wrong here.

Thanks a lot

Christian


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Brian Wong

2010-Aug-12 04:41 UTC

head link

Re: [Puppet Users] Forbidden request: access to /certificate_revocation_list/ca failed

On Wed, Aug 11, 2010 at 1:28 PM, Christian
<berwangerchristian@googlemail.com> wrote:> I have installed on the client and on the server puppet version
> 0.25.5.
>
> The setup was successfully tested with Webrick server on the
> puppetserver. Afterwards i switched to passenger (2.2.11) and rack
> (1.0.1) on the server.
>
> Puppetmaster starts successfully with an httpd start.
>
> Making a certificate request works and signing on the server was also
> no problem. However afterwards following message appears.
>
> /usr/sbin/puppetd --server icms-srv.gal.cst.cnes.fr --waitforcert 60 --
> test --debug --trace --verbose
<snip>
> certificate_revocation_list/ca [find] at line 0
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
>
> It seems there are quite a lot of issues around those CA errors
> already available. However the most were related to older puppet
> versions and declared as fixed already.
>
> Does somebody have an idea what is going wrong here.
>
> Thanks a lot
Did you follow the directions at
http://github.com/reductivelabs/puppet/tree/master/ext/rack ?

An snippet from the URI is

Required puppet.conf settings:
  [puppetmasterd]
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY

It seems like the authorization of the client isnt taking place. You
might want to ensure you have the settings above on your puppet
master.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Puppet users - Aug 2010 - Forbidden request: access to /certificate_revocation_list/ca failed

[Puppet Users] Forbidden request: access to /certificate_revocation_list/ca failed

Re: [Puppet Users] Forbidden request: access to /certificate_revocation_list/ca failed