linuxbsdfreak
2011-Feb-14 16:06 UTC
[Puppet Users] Splitting PuppetMaster from PuppetCA config help
Hello All,
I am running puppetmaster with nginx and unicorn. I am trying to split
puppet master from the Puppet CA. The puppetCA is running well with
the following nginx config:
user nginx;
worker_processes 10;
worker_rlimit_nofile 100000;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main ''$remote_addr - $remote_user [$time_local]
"$request" ''
''$status $body_bytes_sent
"$http_referer" ''
''"$http_user_agent"
"$http_x_forwarded_for"'';
access_log /var/log/nginx/access.log main;
sendfile on;
# These are good default values.
tcp_nopush on;
tcp_nodelay off;
server_tokens off;
# output compression saves bandwidth
gzip on;
gzip_http_version 1.1;
gzip_proxied any;
gzip_static on;
gzip_comp_level 5;
gzip_min_length 500;
gzip_types text/plain text/xml text/css text/comma-separated-
values text/javascript application/x-javascript application/atom+xml;
keepalive_timeout 65;
server {
listen IPaddr:8140;
server_name haproxy01;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/haproxy01.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/
haproxy01.pem;
ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_verify_client optional;
ssl_verify_depth 1;
root /etc/puppet;
proxy_set_header Host $host;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
proxy_buffer_size 16k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_read_timeout 65;
location / {
proxy_pass http://<IPofserver>:8141; ----> Running unicorn
on port 8141
proxy_redirect off;
}
}
}
Puppet.conf
--------------------
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = haproxy01
[master]
autosign = false
ssl_client_header = HTTP_X_CLIENT_DN
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
certname = haproxy01
ca = true
Now the main puppetmaster for serving the manifests has the following
configuration:
user nginx;
worker_processes 10;
worker_rlimit_nofile 100000;
error_log /var/log/nginx/error.log info;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main ''$remote_addr - $remote_user [$time_local]
"$request" ''
''$status $body_bytes_sent
"$http_referer" ''
''"$http_user_agent"
"$http_x_forwarded_for"'';
access_log /var/log/nginx/access.log main;
sendfile on;
# These are good default values.
tcp_nopush on;
tcp_nodelay off;
server_tokens off;
# output compression saves bandwidth
gzip on;
gzip_http_version 1.1;
gzip_proxied any;
gzip_static on;
gzip_comp_level 5;
gzip_min_length 500;
gzip_types text/plain text/xml text/css text/comma-separated-
values text/javascript application/x-javascript application/atom+xml;
keepalive_timeout 65;
server {
listen ipaddr:8140;
server_name pserver01;
ssl on;
ssl_session_timeout 5m;
ssl_certificate /var/lib/puppet/ssl/certs/pserver01.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/
pserver01.pem;
#ssl_client_certificate /var/lib/puppet/ssl/ca/ca_crt.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
#ssl_verify_client optional;
ssl_verify_depth 1;
root /etc/puppet;
# make sure we serve everything as raw
types { }
default_type application/x-raw;
# serve static file for the [files] mountpoint
location /production/file_content/files/ {
allow all;
alias /etc/puppet/files/;
}
# serve modules files sections
location ~ /production/file_content/[^/]+/files/ {
allow all;
root /etc/puppet/modules;
# rewrite /production/file_content/module/files/file.txt to /
module/file.text
rewrite ^/production/file_content/([^/]+)/files/(.+)$
$1/$2 break;
}
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
#proxy_set_header X-SSL-Subject $ssl_client_s_dn;
#proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_buffer_size 16k;
proxy_buffers 8 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
proxy_read_timeout 65;
location / {
proxy_pass http://ipof server:8141; ==> Running unicorn on
Port 8141
proxy_redirect off;
}
}
}
Puppet.conf
----------------
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = pserver01
listen = true
[master]
ssl_client_header = HTTP_X_CLIENT_DN
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
certname = pserver01
ca = false
When the run the puppet client 1st time. The Puppet client sends the
request to the CA server and i can sign the CSR request. However when
i run it the 2nd time
puppetd --test --server pserver01 --noop --debug
I get the following error:
err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: pclient(ipaddress) access to /catalog/
pclient [find] at line 93. Both the machines are different servers.
I commented Line 93 and also checked. However it still doesnt work.
Anyone who can help me out?
Regards,
Kevin
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.