Puppet users - Aug 2010 - auth.conf in puppet 2.6 with Apache + Passenger

Hi everyone

I''m having a problem with a clean install of puppet (2.6.0) on a Mac
server
(Mac OS 10.5.8). I set up puppet initially with MySQL and the puppetmaster
standalone (Webrick) and that works fine. Clients can connect and there are
no problems. But when I configured it to use Apache and Passenger, the
client responds that the request is forbidden.

err: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: XXX.XXX.XXX(xx.xx.xx.xx) access to
/catalog/XXX.XXX.XXX[find] at line 97

So after going through the mailing lists and google I''ve found that the
auth.conf file is the problem. I have stock standard auth.conf which looks
like this:

http://pastie.org/1098939

And yes, adding auth no to the first four methods does make it work, but I
know that''s not the problem (or the solution). Am I missing something?
Is it
a bug or PEBKAC?

Some of the relevant puppet.conf entries

vardir = /var/lib/puppet
confdir = /etc/puppet
puppetdlog = ''$logdir/puppetd.log''
logdir = ''$vardir/log''
rest_authconfig = ''$confdir/auth.conf''
masterlog = ''$logdir/puppetmaster.log''

The Gem versions I am using:

facter (1.5.7)
mongrel (1.1.5)
passenger (2.2.15)
puppet (2.6.0)
rack (1.2.1, 1.1.0)
ruby-mysql (2.9.3)

The backtrace on the server is:

http://pastie.org/1098964

Ruby version is : ruby 1.8.7 (2009-06-12 patchlevel 174)

Virtualhost entry in apache looks like this:

http://pastie.org/1098973

and the config.ru file looks like this:

http://pastie.org/1098974

The client and server certs are fine (standalone works fine) and there are
no connectivity problems between the client and server.

Anyone seen this or have any ideas? Any help would be greatly appreciated.

Regards

Sven Schott

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I think you might have missed this bit:

*Setup your puppet.conf*

*Make sure you have the following set in your puppetmaster’s puppet.conf:*

*[puppetmasterd]*

*ssl_client_header = SSL_CLIENT_S_DN*

*ssl_client_verify_header = SSL_CLIENT_VERIFY*


On Tue, Aug 17, 2010 at 5:59 PM, Sven Schott <sven.schott@gmail.com>
wrote:
> Hi everyone
>
> I''m having a problem with a clean install of puppet (2.6.0) on a
Mac server
> (Mac OS 10.5.8). I set up puppet initially with MySQL and the puppetmaster
> standalone (Webrick) and that works fine. Clients can connect and there are
> no problems. But when I configured it to use Apache and Passenger, the
> client responds that the request is forbidden.
>
> err: Could not retrieve catalog from remote server: Error 403 on SERVER:
> Forbidden request: XXX.XXX.XXX(xx.xx.xx.xx) access to
/catalog/XXX.XXX.XXX[find] at line 97
>
> So after going through the mailing lists and google I''ve found
that the
> auth.conf file is the problem. I have stock standard auth.conf which looks
> like this:
>
> http://pastie.org/1098939
>
> And yes, adding auth no to the first four methods does make it work, but I
> know that''s not the problem (or the solution). Am I missing
something? Is it
> a bug or PEBKAC?
>
> Some of the relevant puppet.conf entries
>
> vardir = /var/lib/puppet
> confdir = /etc/puppet
> puppetdlog = ''$logdir/puppetd.log''
> logdir = ''$vardir/log''
> rest_authconfig = ''$confdir/auth.conf''
> masterlog = ''$logdir/puppetmaster.log''
>
> The Gem versions I am using:
>
> facter (1.5.7)
> mongrel (1.1.5)
> passenger (2.2.15)
> puppet (2.6.0)
> rack (1.2.1, 1.1.0)
> ruby-mysql (2.9.3)
>
> The backtrace on the server is:
>
> http://pastie.org/1098964
>
> Ruby version is : ruby 1.8.7 (2009-06-12 patchlevel 174)
>
> Virtualhost entry in apache looks like this:
>
> http://pastie.org/1098973
>
> and the config.ru file looks like this:
>
> http://pastie.org/1098974
>
> The client and server certs are fine (standalone works fine) and there are
> no connectivity problems between the client and server.
>
> Anyone seen this or have any ideas? Any help would be greatly appreciated.
>
> Regards
>
> Sven Schott
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

The config file said those were only used with mongrel so I didn''t
uncomment
them. However, after fiddling for while I found that I had missed the exact
same thing on the apache virtual hosts config. The following lines were
missing:

        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

which *are* in the instructions on the puppet wiki but not on the
instructions I had. Once I added that to the virtual hosts config,
everything went peachy. Thanks for the reply anyways. I appreciate it.

On Wed, Aug 18, 2010 at 1:19 PM, Patrick Mohr <kc7zzv@gmail.com> wrote:
> I think you might have missed this bit:
>
> *Setup your puppet.conf*
>
> *Make sure you have the following set in your puppetmaster’s puppet.conf:*
>
> *[puppetmasterd]*
>
> *ssl_client_header = SSL_CLIENT_S_DN*
>
> *ssl_client_verify_header = SSL_CLIENT_VERIFY*
>
>
> On Tue, Aug 17, 2010 at 5:59 PM, Sven Schott
<sven.schott@gmail.com>wrote:
>
>> Hi everyone
>>
>> I''m having a problem with a clean install of puppet (2.6.0) on
a Mac
>> server (Mac OS 10.5.8). I set up puppet initially with MySQL and the
>> puppetmaster standalone (Webrick) and that works fine. Clients can
connect
>> and there are no problems. But when I configured it to use Apache and
>> Passenger, the client responds that the request is forbidden.
>>
>> err: Could not retrieve catalog from remote server: Error 403 on
SERVER:
>> Forbidden request: XXX.XXX.XXX(xx.xx.xx.xx) access to /catalog/
>> XXX.XXX.XXX [find] at line 97
>>
>> So after going through the mailing lists and google I''ve found
that the
>> auth.conf file is the problem. I have stock standard auth.conf which
looks
>> like this:
>>
>> http://pastie.org/1098939
>>
>> And yes, adding auth no to the first four methods does make it work,
but I
>> know that''s not the problem (or the solution). Am I missing
something? Is it
>> a bug or PEBKAC?
>>
>> Some of the relevant puppet.conf entries
>>
>> vardir = /var/lib/puppet
>> confdir = /etc/puppet
>> puppetdlog = ''$logdir/puppetd.log''
>> logdir = ''$vardir/log''
>> rest_authconfig = ''$confdir/auth.conf''
>> masterlog = ''$logdir/puppetmaster.log''
>>
>> The Gem versions I am using:
>>
>> facter (1.5.7)
>> mongrel (1.1.5)
>> passenger (2.2.15)
>> puppet (2.6.0)
>> rack (1.2.1, 1.1.0)
>> ruby-mysql (2.9.3)
>>
>> The backtrace on the server is:
>>
>> http://pastie.org/1098964
>>
>> Ruby version is : ruby 1.8.7 (2009-06-12 patchlevel 174)
>>
>> Virtualhost entry in apache looks like this:
>>
>> http://pastie.org/1098973
>>
>> and the config.ru file looks like this:
>>
>> http://pastie.org/1098974
>>
>> The client and server certs are fine (standalone works fine) and there
are
>> no connectivity problems between the client and server.
>>
>> Anyone seen this or have any ideas? Any help would be greatly
appreciated.
>>
>> Regards
>>
>> Sven Schott
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Aug 17, 2010, at 9:51 PM, Sven Schott wrote:
> The config file said those were only used with mongrel so I didn''t
uncomment them. However, after fiddling for while I found that I had missed the
exact same thing on the apache virtual hosts config. The following lines were
missing:
> 
>         RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>         RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>         RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
> 
> which are in the instructions on the puppet wiki but not on the
instructions I had. Once I added that to the virtual hosts config, everything
went peachy. Thanks for the reply anyways. I appreciate it.
That''s half true.  Basically, apache and puppet use different header
names for the same thing be default, so you can either tell apache to name them
differently, or tell puppet to look for different header.
> On Wed, Aug 18, 2010 at 1:19 PM, Patrick Mohr <kc7zzv@gmail.com>
wrote:
> I think you might have missed this bit:
> 
> Setup your puppet.conf
> 
> Make sure you have the following set in your puppetmaster’s puppet.conf:
> 
> [puppetmasterd]
> 
> ssl_client_header = SSL_CLIENT_S_DN
> 
> ssl_client_verify_header = SSL_CLIENT_VERIFY
> 
> 
> 
> On Tue, Aug 17, 2010 at 5:59 PM, Sven Schott <sven.schott@gmail.com>
wrote:
> Hi everyone
> 
> I''m having a problem with a clean install of puppet (2.6.0) on a
Mac server (Mac OS 10.5.8). I set up puppet initially with MySQL and the
puppetmaster standalone (Webrick) and that works fine. Clients can connect and
there are no problems. But when I configured it to use Apache and Passenger, the
client responds that the request is forbidden.
> 
> err: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: XXX.XXX.XXX(xx.xx.xx.xx) access to /catalog/XXX.XXX.XXX
[find] at line 97
> 
> So after going through the mailing lists and google I''ve found
that the auth.conf file is the problem. I have stock standard auth.conf which
looks like this:
> 
> http://pastie.org/1098939
> 
> And yes, adding auth no to the first four methods does make it work, but I
know that''s not the problem (or the solution). Am I missing something?
Is it a bug or PEBKAC?
> 
> Some of the relevant puppet.conf entries
> 
> vardir = /var/lib/puppet
> confdir = /etc/puppet
> puppetdlog = ''$logdir/puppetd.log''
> logdir = ''$vardir/log''
> rest_authconfig = ''$confdir/auth.conf''
> masterlog = ''$logdir/puppetmaster.log''
> 
> The Gem versions I am using:
> 
> facter (1.5.7)
> mongrel (1.1.5)
> passenger (2.2.15)
> puppet (2.6.0)
> rack (1.2.1, 1.1.0)
> ruby-mysql (2.9.3)
> 
> The backtrace on the server is:
> 
> http://pastie.org/1098964
> 
> Ruby version is : ruby 1.8.7 (2009-06-12 patchlevel 174)
> 
> Virtualhost entry in apache looks like this:
> 
> http://pastie.org/1098973
> 
> and the config.ru file looks like this:
> 
> http://pastie.org/1098974
> 
> The client and server certs are fine (standalone works fine) and there are
no connectivity problems between the client and server.
> 
> Anyone seen this or have any ideas? Any help would be greatly appreciated.
> 
> Regards
> 
> Sven Schott
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Ah, cool. That kind of information is good to know. I have to redo all this
anyway (this is our dev build) so under the hood info is great. Thanks
again!

On Wed, Aug 18, 2010 at 6:28 PM, Patrick Mohr <kc7zzv@gmail.com> wrote:
>
> On Aug 17, 2010, at 9:51 PM, Sven Schott wrote:
>
> The config file said those were only used with mongrel so I didn''t
> uncomment them. However, after fiddling for while I found that I had missed
> the exact same thing on the apache virtual hosts config. The following
lines
> were missing:
>
>         RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>         RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>         RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> which *are* in the instructions on the puppet wiki but not on the
> instructions I had. Once I added that to the virtual hosts config,
> everything went peachy. Thanks for the reply anyways. I appreciate it.
>
>
> That''s half true.  Basically, apache and puppet use different
header names
> for the same thing be default, so you can either tell apache to name them
> differently, or tell puppet to look for different header.
>
> On Wed, Aug 18, 2010 at 1:19 PM, Patrick Mohr <kc7zzv@gmail.com>
wrote:
>
>> I think you might have missed this bit:
>>
>> *Setup your puppet.conf*
>>
>> *Make sure you have the following set in your puppetmaster’s
puppet.conf:
>> *
>>
>> *[puppetmasterd]*
>>
>> *ssl_client_header = SSL_CLIENT_S_DN*
>>
>> *ssl_client_verify_header = SSL_CLIENT_VERIFY*
>>
>>
>> On Tue, Aug 17, 2010 at 5:59 PM, Sven Schott
<sven.schott@gmail.com>wrote:
>>
>>> Hi everyone
>>>
>>> I''m having a problem with a clean install of puppet
(2.6.0) on a Mac
>>> server (Mac OS 10.5.8). I set up puppet initially with MySQL and
the
>>> puppetmaster standalone (Webrick) and that works fine. Clients can
connect
>>> and there are no problems. But when I configured it to use Apache
and
>>> Passenger, the client responds that the request is forbidden.
>>>
>>> err: Could not retrieve catalog from remote server: Error 403 on
SERVER:
>>> Forbidden request: XXX.XXX.XXX(xx.xx.xx.xx) access to /catalog/
>>> XXX.XXX.XXX [find] at line 97
>>>
>>> So after going through the mailing lists and google I''ve
found that the
>>> auth.conf file is the problem. I have stock standard auth.conf
which looks
>>> like this:
>>>
>>> http://pastie.org/1098939
>>>
>>> And yes, adding auth no to the first four methods does make it
work, but
>>> I know that''s not the problem (or the solution). Am I
missing something? Is
>>> it a bug or PEBKAC?
>>>
>>> Some of the relevant puppet.conf entries
>>>
>>> vardir = /var/lib/puppet
>>> confdir = /etc/puppet
>>> puppetdlog = ''$logdir/puppetd.log''
>>> logdir = ''$vardir/log''
>>> rest_authconfig = ''$confdir/auth.conf''
>>> masterlog = ''$logdir/puppetmaster.log''
>>>
>>> The Gem versions I am using:
>>>
>>> facter (1.5.7)
>>> mongrel (1.1.5)
>>> passenger (2.2.15)
>>> puppet (2.6.0)
>>> rack (1.2.1, 1.1.0)
>>> ruby-mysql (2.9.3)
>>>
>>> The backtrace on the server is:
>>>
>>> http://pastie.org/1098964
>>>
>>> Ruby version is : ruby 1.8.7 (2009-06-12 patchlevel 174)
>>>
>>> Virtualhost entry in apache looks like this:
>>>
>>> http://pastie.org/1098973
>>>
>>> and the config.ru file looks like this:
>>>
>>> http://pastie.org/1098974
>>>
>>> The client and server certs are fine (standalone works fine) and
there
>>> are no connectivity problems between the client and server.
>>>
>>> Anyone seen this or have any ideas? Any help would be greatly
>>> appreciated.
>>>
>>> Regards
>>>
>>> Sven Schott
>>>
>>> --
>>> You received this message because you are subscribed to the Google
Groups
>>> "Puppet Users" group.
>>> To post to this group, send email to puppet-users@googlegroups.com.
>>> To unsubscribe from this group, send email to
>>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>>> .
>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
>> .
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.