Puppet users - Aug 2010 - Forbidden request: HOSTNAME(IP_ADDRESSE) access to / certificate_revocation_list/ca

I have installed on the client and on the server puppet version
0.25.5.

The setup was successfully tested with Webrick server on the
puppetserver. Afterwards i switched to passenger (2.2.11) and rack
(1.0.1) on the server.

Puppetmaster starts successfully with an httpd start.

Making a certificate request works and signing on the server was also
no problem. However afterwards following message appears.

/usr/sbin/puppetd --server <SERVER_NAME> --waitforcert 60 --
test --debug --trace --verbose
debug: Puppet::Type::User::ProviderLdap: true value when expecting
false
debug: Puppet::Type::User::ProviderUser_role_add: file roledel does
not exist
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
dscl does not exist
debug: Failed to load library ''ldap'' for feature
''ldap''
debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/
lib/
puppet]
debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/
lib/puppet]
debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/
puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/
var/lib/puppet/ssl]
debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: /File[/var/lib/puppet/ssl/certs/HOSTNAME.pem]: Autorequiring
File[/var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/
var/
lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/
puppet]
debug: /File[/var/lib/puppet/ssl/private_keys/HOSTNAME.pem]:
Autorequiring File[/var/lib/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/
lib/puppet/state]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/
puppet]
debug: /File[/var/lib/puppet/ssl/public_keys/HOSTNAME.pem]:
Autorequiring File[/var/lib/puppet/ssl/public_keys]
debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/
var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/
lib/
puppet/ssl]
debug: Finishing transaction -606761748 with 0 changes
debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/
puppet]
debug: /File[/var/lib/puppet/ssl/private_keys/HOSTNAME.pem]:
Autorequiring File[/var/lib/puppet/ssl/private_keys]
debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/
var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/
var/
lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/certs/HOSTNAME.pem]: Autorequiring
File[/var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/ssl/public_keys/HOSTNAME.pem]:
Autorequiring File[/var/lib/puppet/ssl/public_keys]
debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring
File[/var/lib/puppet/ssl]
debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/
lib/
puppet/ssl]
debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet]
debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/
puppet/ssl]
debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/
var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/
puppet]
debug: Finishing transaction -607024878 with 0 changes
debug: Using cached certificate for ca
debug: Using cached certificate for HOSTNAME
debug: Finishing transaction -607157058 with 0 changes
debug: Using cached certificate for ca
debug: Using cached certificate for HOSTNAME
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:55:in
`deserialize''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:202:in
`find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:215:in `ssl_store''
/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in
`cert_setup''
/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:98:in
`http_instance''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in `network''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:202:in
`find''
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:208:in
`retrieve_new_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark''
/usr/lib/ruby/1.8/benchmark.rb:293:in `measure''
/usr/lib/ruby/1.8/benchmark.rb:307:in `realtime''
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:207:in
`retrieve_new_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:104:in
`retrieve_catalog''
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:142:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
/usr/lib/ruby/1.8/sync.rb:229:in `synchronize''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client''
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in
`onetime''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in
`exit_on_fail''
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run''
/usr/sbin/puppetd:160
err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: HOSTNAME(IP_ADDRESSE) access to /
certificate_revocation_list/ca [find] at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

I set the required puppet.conf settings:
  [puppetmasterd]
    ssl_client_header = SSL_CLIENT_S_DN
    ssl_client_verify_header = SSL_CLIENT_VERIFY

It seems there are quite a lot of issues around those CA errors
already available. However the most were related to older puppet
versions and declared as fixed already.

Does somebody have an idea what is going wrong here.

Thanks a lot

Christian

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Aug 12, 2010 at 8:38 AM, Christian
<berwangerchristian@googlemail.com> wrote:
> I have installed on the client and on the server puppet version
> 0.25.5.
>
> The setup was successfully tested with Webrick server on the
> puppetserver. Afterwards i switched to passenger (2.2.11) and rack
> (1.0.1) on the server.
>
> Puppetmaster starts successfully with an httpd start.
>
> Making a certificate request works and signing on the server was also
> no problem. However afterwards following message appears.
>
> /usr/sbin/puppetd --server <SERVER_NAME> --waitforcert 60 --
> test --debug --trace --verbose
<snip>
> err: Could not retrieve catalog from remote server: Error 403 on
> SERVER: Forbidden request: HOSTNAME(IP_ADDRESSE) access to /
> certificate_revocation_list/ca [find] at line 0
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
>
> I set the required puppet.conf settings:
>  [puppetmasterd]
>    ssl_client_header = SSL_CLIENT_S_DN
>    ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> It seems there are quite a lot of issues around those CA errors
> already available. However the most were related to older puppet
> versions and declared as fixed already.
>
> Does somebody have an idea what is going wrong here.
>
> Thanks a lot
>
> Christian
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
 Did you modify your auth.conf?
Look at your auth.conf and put the following lines near the beginning
of the file to ensure that it gets evaluated first:

path /
auth no
allow *

If it works, then you can be sure it is some permission or
authorization problem.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

>  Did you modify your auth.conf?
> Look at your auth.conf and put the following lines near the beginning
> of the file to ensure that it gets evaluated first:
>
> path /
> auth no
> allow *
>
> If it works, then you can be sure it is some permission or
> authorization problem.
I''m having the same issue (definitely auth.conf) but I don''t
see why
it works under webrick. It''s only under passenger that it barfs. Is
that the expected behaviour? Mine works fine if I "auth no" to all my
methods but that sort of defeats the purpose of the security methods.
If it is a permission or authorisation problem, what could it be? I
have a clean build with new certs; all works as expected when
puppetmasterd is run (client connects and is authorised). My auth.conf
file currently looks like this - http://pastie.org/1089444

Sven

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hello Brian,

I haven''t changed my auth.conf.
I''ve put these lines into my auth.conf. Unfortunatilly this also seems
not to work. It reports the same error as before.

The only thing i have changed is the folder where the auth.conf is
located. The path name in the puppet.conf points to the right file.

Any other ideas?

When i run in the webbrowser https://<SERVER_NAME>:8140 I''m
getting
following message:

"The environment mus be purely alphanumeric, ''''". Is
it an problem not
to have an environment defined?

Christian



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Aug 13, 2010, at 7:22 AM, Christian wrote:
> When i run in the webbrowser https://<SERVER_NAME>:8140 I''m
getting
> following message:
> 
> "The environment mus be purely alphanumeric,
''''". Is it an problem not
> to have an environment defined?
My working puppetmaster gives the same error.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi guys,

sorry for the late answer but i was on vacation...

I tried all your suggestions (setting auth to no) but i''m still
getting the same wrong behaviour. Has anybody an idea how to progress
here?
I also have the feeling that there are less people having a proper
puppet passenger installation in use although passenger is described
as  the recommended way to scale puppet. However it seems that the
most successfull running setups are using Mongrel. If I can''t get it
run with passenger i would give Mongrel a chance.

What is the better option for around only 50 nodes?



-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.