Christian
2010-Aug-12 12:38 UTC
[Puppet Users] Forbidden request: HOSTNAME(IP_ADDRESSE) access to / certificate_revocation_list/ca
I have installed on the client and on the server puppet version 0.25.5. The setup was successfully tested with Webrick server on the puppetserver. Afterwards i switched to passenger (2.2.11) and rack (1.0.1) on the server. Puppetmaster starts successfully with an httpd start. Making a certificate request works and signing on the server was also no problem. However afterwards following message appears. /usr/sbin/puppetd --server <SERVER_NAME> --waitforcert 60 -- test --debug --trace --verbose debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::User::ProviderUser_role_add: file roledel does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ dscl does not exist debug: Failed to load library ''ldap'' for feature ''ldap'' debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/ lib/ puppet] debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/ lib/puppet] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/ puppet/ssl] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/ var/lib/puppet/ssl] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/ssl/certs/HOSTNAME.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/ var/ lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/ puppet] debug: /File[/var/lib/puppet/ssl/private_keys/HOSTNAME.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/ lib/puppet/state] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/ puppet] debug: /File[/var/lib/puppet/ssl/public_keys/HOSTNAME.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/ var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/ lib/ puppet/ssl] debug: Finishing transaction -606761748 with 0 changes debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/ puppet] debug: /File[/var/lib/puppet/ssl/private_keys/HOSTNAME.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/ var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/ var/ lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certs/HOSTNAME.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/public_keys/HOSTNAME.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/ lib/ puppet/ssl] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/ puppet/ssl] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/ var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/ puppet] debug: Finishing transaction -607024878 with 0 changes debug: Using cached certificate for ca debug: Using cached certificate for HOSTNAME debug: Finishing transaction -607157058 with 0 changes debug: Using cached certificate for ca debug: Using cached certificate for HOSTNAME /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:55:in `deserialize'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:202:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:215:in `ssl_store'' /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in `cert_setup'' /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:98:in `http_instance'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in `network'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:202:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:208:in `retrieve_new_catalog'' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark'' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure'' /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime'' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark'' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:207:in `retrieve_new_catalog'' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:104:in `retrieve_catalog'' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:142:in `run'' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' /usr/lib/ruby/1.8/sync.rb:229:in `synchronize'' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client'' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run'' /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in `onetime'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in `exit_on_fail'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'' /usr/sbin/puppetd:160 err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: HOSTNAME(IP_ADDRESSE) access to / certificate_revocation_list/ca [find] at line 0 warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I set the required puppet.conf settings: [puppetmasterd] ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY It seems there are quite a lot of issues around those CA errors already available. However the most were related to older puppet versions and declared as fixed already. Does somebody have an idea what is going wrong here. Thanks a lot Christian -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Brian Wong
2010-Aug-12 17:21 UTC
Re: [Puppet Users] Forbidden request: HOSTNAME(IP_ADDRESSE) access to / certificate_revocation_list/ca
On Thu, Aug 12, 2010 at 8:38 AM, Christian <berwangerchristian@googlemail.com> wrote:> I have installed on the client and on the server puppet version > 0.25.5. > > The setup was successfully tested with Webrick server on the > puppetserver. Afterwards i switched to passenger (2.2.11) and rack > (1.0.1) on the server. > > Puppetmaster starts successfully with an httpd start. > > Making a certificate request works and signing on the server was also > no problem. However afterwards following message appears. > > /usr/sbin/puppetd --server <SERVER_NAME> --waitforcert 60 -- > test --debug --trace --verbose<snip>> err: Could not retrieve catalog from remote server: Error 403 on > SERVER: Forbidden request: HOSTNAME(IP_ADDRESSE) access to / > certificate_revocation_list/ca [find] at line 0 > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > I set the required puppet.conf settings: > [puppetmasterd] > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > > It seems there are quite a lot of issues around those CA errors > already available. However the most were related to older puppet > versions and declared as fixed already. > > Does somebody have an idea what is going wrong here. > > Thanks a lot > > Christian > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >Did you modify your auth.conf? Look at your auth.conf and put the following lines near the beginning of the file to ensure that it gets evaluated first: path / auth no allow * If it works, then you can be sure it is some permission or authorization problem. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
genericpenguin
2010-Aug-13 00:06 UTC
[Puppet Users] Re: Forbidden request: HOSTNAME(IP_ADDRESSE) access to / certificate_revocation_list/ca
> Did you modify your auth.conf? > Look at your auth.conf and put the following lines near the beginning > of the file to ensure that it gets evaluated first: > > path / > auth no > allow * > > If it works, then you can be sure it is some permission or > authorization problem.I''m having the same issue (definitely auth.conf) but I don''t see why it works under webrick. It''s only under passenger that it barfs. Is that the expected behaviour? Mine works fine if I "auth no" to all my methods but that sort of defeats the purpose of the security methods. If it is a permission or authorisation problem, what could it be? I have a clean build with new certs; all works as expected when puppetmasterd is run (client connects and is authorised). My auth.conf file currently looks like this - http://pastie.org/1089444 Sven -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Christian
2010-Aug-13 14:22 UTC
[Puppet Users] Re: Forbidden request: HOSTNAME(IP_ADDRESSE) access to / certificate_revocation_list/ca
Hello Brian, I haven''t changed my auth.conf. I''ve put these lines into my auth.conf. Unfortunatilly this also seems not to work. It reports the same error as before. The only thing i have changed is the folder where the auth.conf is located. The path name in the puppet.conf points to the right file. Any other ideas? When i run in the webbrowser https://<SERVER_NAME>:8140 I''m getting following message: "The environment mus be purely alphanumeric, ''''". Is it an problem not to have an environment defined? Christian -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Patrick Mohr
2010-Aug-13 17:33 UTC
Re: [Puppet Users] Re: Forbidden request: HOSTNAME(IP_ADDRESSE) access to / certificate_revocation_list/ca
On Aug 13, 2010, at 7:22 AM, Christian wrote:> When i run in the webbrowser https://<SERVER_NAME>:8140 I''m getting > following message: > > "The environment mus be purely alphanumeric, ''''". Is it an problem not > to have an environment defined?My working puppetmaster gives the same error. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Christian
2010-Aug-25 08:40 UTC
[Puppet Users] Re: Forbidden request: HOSTNAME(IP_ADDRESSE) access to / certificate_revocation_list/ca
Hi guys, sorry for the late answer but i was on vacation... I tried all your suggestions (setting auth to no) but i''m still getting the same wrong behaviour. Has anybody an idea how to progress here? I also have the feeling that there are less people having a proper puppet passenger installation in use although passenger is described as the recommended way to scale puppet. However it seems that the most successfull running setups are using Mongrel. If I can''t get it run with passenger i would give Mongrel a chance. What is the better option for around only 50 nodes? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.