Puppet users - May 2011 - puppet not working after switch to passenger - permissions issue?

Hi,

as suggested on the list I switched from the standalone puppetmaster to 
Passenger. I have passenger installed now and edited the apache config as far as
I understood. I restarted apache.
Now when I run an agent I get:

/var/lib/gems/1.8/bin/puppet agent --server node002 --test
err: Could not retrieve catalog from remote server: Error 403 on SERVER: 
Forbidden request: node039(192.168.73.39) access to /catalog/node039 [find] at 
line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

In the server log I find this:

May  4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden request:
node039(192.168.73.39) access to /catalog/node039 [find] at line 0
May  4 14:13:08 node002 puppet-master[14489]: Forbidden request: 
node039(192.168.73.39) access to /catalog/node039 [find] at line 0

Here is my apache config:

========
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Listen 8140

<VirtualHost *:8140>
         SSLEngine on
         SSLProtocol -ALL +SSLv3 +TLSv1
         SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

         SSLCertificateFile      /etc/puppet/ssl/certs/node002.pem
         SSLCertificateKeyFile   /etc/puppet/ssl/private_keys/node002.pem
         SSLCertificateChainFile /etc/puppet/ssl/ca/ca_crt.pem
         SSLCACertificateFile    /etc/puppet/ssl/ca/ca_crt.pem
         # If Apache complains about invalid signatures on the CRL, you can try 
disabling
         # CRL checking by commenting the next line, but this is not
recommended.
         SSLCARevocationFile     /etc/puppet/ssl/ca/ca_crl.pem
         SSLVerifyClient optional
         SSLVerifyDepth  1
         SSLOptions +StdEnvVars

         DocumentRoot /etc/puppet/rack/public/
         RackBaseURI /
         <Directory /etc/puppet/rack/>
                 Options None
                 AllowOverride None
                 Order allow,deny
                 allow from all
         </Directory>
</VirtualHost>
=======
Is that a permissions problem? I dont know how that /catalog/node039 URL maps to
a file path.

regards, Andreas

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

Nan Liu wrote:
> On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
> <andreas.kuntzagk@mdc-berlin.de> wrote:
>> Hi,
>>
>> as suggested on the list I switched from the standalone puppetmaster to
>> Passenger. I have passenger installed now and edited the apache config
as
>> far as I understood. I restarted apache.
>> Now when I run an agent I get:
>>
>> /var/lib/gems/1.8/bin/puppet agent --server node002 --test
>> err: Could not retrieve catalog from remote server: Error 403 on
SERVER:
>> Forbidden request: node039(192.168.73.39) access to /catalog/node039
[find]
>> at line 0
>> warning: Not using cache on failed catalog
>> err: Could not retrieve catalog; skipping run
>>
>> In the server log I find this:
>>
>> May  4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden
>> request: node039(192.168.73.39) access to /catalog/node039 [find] at
line 0
>> May  4 14:13:08 node002 puppet-master[14489]: Forbidden request:
>> node039(192.168.73.39) access to /catalog/node039 [find] at line 0
> 
> Not sure I can pinpoint your problem, is this all the output with
> debugging enabled in config.ru?
No. I just enabled debugging (did not see this option before). Now I get many 
more lines.
I suspect these to be the important ones:

May  5 08:59:36 node002 puppet-master[16796]: (access[/]) adding authentication
any
May  5 08:59:36 node002 puppet-master[16796]: Inserting default
''/status''(auth)
acl because none where found in ''/etc/puppet/auth.conf''
May  5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting to no 
access for node002


[...]

> It doesn''t map to a filepath. Access is controlled via auth.conf.
You
> should have a section similar to:
> 
> # allow nodes to retrieve their own catalog (ie their configuration)
> path ~ ^/catalog/([^/]+)$
> method find
> allow $1
Ok, auth.conf was missing. But I copied the gems default conf file and
it''s
still not working.
> Since you should not need to change it, I''m wondering do you have
the
> following [master] section in puppet.conf?
>   ssl_client_header = SSL_CLIENT_S_DN
>   ssl_client_verify_header = SSL_CLIENT_VERIFY
No. There is no [master] section at all. And also in all example confs there is 
no [master] section. Btw. this is version 2.6.4.

regards, Andreas

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Ok, seems that I have an authentication issue here.
when I set (for all paths) "auth no" in auth.conf, it''s
working again.
Maybe I set these options wrong in the apache.conf:

SSLCertificateFile      /etc/puppet/ssl/certs/node002.pem
SSLCertificateKeyFile   /etc/puppet/ssl/private_keys/node002.pem

As far as I can tell these files match.

regards, Andreas

Andreas Kuntzagk wrote:
> Hi,
> 
> Nan Liu wrote:
>> On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
>> <andreas.kuntzagk@mdc-berlin.de> wrote:
>>> Hi,
>>>
>>> as suggested on the list I switched from the standalone
puppetmaster to
>>> Passenger. I have passenger installed now and edited the apache 
>>> config as
>>> far as I understood. I restarted apache.
>>> Now when I run an agent I get:
>>>
>>> /var/lib/gems/1.8/bin/puppet agent --server node002 --test
>>> err: Could not retrieve catalog from remote server: Error 403 on
SERVER:
>>> Forbidden request: node039(192.168.73.39) access to
/catalog/node039
>>> [find]
>>> at line 0
>>> warning: Not using cache on failed catalog
>>> err: Could not retrieve catalog; skipping run
>>>
>>> In the server log I find this:
>>>
>>> May  4 14:13:08 node002 puppet-master[14489]: Denying access:
Forbidden
>>> request: node039(192.168.73.39) access to /catalog/node039 [find]
at
>>> line 0
>>> May  4 14:13:08 node002 puppet-master[14489]: Forbidden request:
>>> node039(192.168.73.39) access to /catalog/node039 [find] at line 0
>>
>> Not sure I can pinpoint your problem, is this all the output with
>> debugging enabled in config.ru?
> 
> No. I just enabled debugging (did not see this option before). Now I get 
> many more lines.
> I suspect these to be the important ones:
> 
> May  5 08:59:36 node002 puppet-master[16796]: (access[/]) adding 
> authentication any
> May  5 08:59:36 node002 puppet-master[16796]: Inserting default 
> ''/status''(auth) acl because none where found in
''/etc/puppet/auth.conf''
> May  5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting to 
> no access for node002
> 
> 
> [...]
> 
> 
>> It doesn''t map to a filepath. Access is controlled via
auth.conf. You
>> should have a section similar to:
>>
>> # allow nodes to retrieve their own catalog (ie their configuration)
>> path ~ ^/catalog/([^/]+)$
>> method find
>> allow $1
> 
> Ok, auth.conf was missing. But I copied the gems default conf file and 
> it''s still not working.
> 
>> Since you should not need to change it, I''m wondering do you
have the
>> following [master] section in puppet.conf?
>>   ssl_client_header = SSL_CLIENT_S_DN
>>   ssl_client_verify_header = SSL_CLIENT_VERIFY
> 
> No. There is no [master] section at all. And also in all example confs 
> there is no [master] section. Btw. this is version 2.6.4.
> 
> regards, Andreas
> 
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On May 5, 2:31 am, Andreas Kuntzagk <andreas.kuntz...@mdc-berlin.de>
wrote:
> Ok, seems that I have an authentication issue here.
> when I set (for all paths) "auth no" in auth.conf, it''s
working again.
> Maybe I set these options wrong in the apache.conf:
>
> SSLCertificateFile      /etc/puppet/ssl/certs/node002.pem
> SSLCertificateKeyFile   /etc/puppet/ssl/private_keys/node002.pem
>
> As far as I can tell these files match.
>
> regards, Andreas
>
> Andreas Kuntzagk wrote:
> > Hi,
>
> > Nan Liu wrote:
> >> On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
> >> <andreas.kuntz...@mdc-berlin.de> wrote:
> >>> Hi,
>
> >>> as suggested on the list I switched from the standalone
puppetmaster to
> >>> Passenger. I have passenger installed now and edited the
apache
> >>> config as
> >>> far as I understood. I restarted apache.
> >>> Now when I run an agent I get:
>
> >>> /var/lib/gems/1.8/bin/puppet agent --server node002 --test
> >>> err: Could not retrieve catalog from remote server: Error 403
on SERVER:
> >>> Forbidden request: node039(192.168.73.39) access to
/catalog/node039
> >>> [find]
> >>> at line 0
> >>> warning: Not using cache on failed catalog
> >>> err: Could not retrieve catalog; skipping run
>
> >>> In the server log I find this:
>
> >>> May  4 14:13:08 node002 puppet-master[14489]: Denying access:
Forbidden
> >>> request: node039(192.168.73.39) access to /catalog/node039
[find] at
> >>> line 0
> >>> May  4 14:13:08 node002 puppet-master[14489]: Forbidden
request:
> >>> node039(192.168.73.39) access to /catalog/node039 [find] at
line 0
>
> >> Not sure I can pinpoint your problem, is this all the output with
> >> debugging enabled in config.ru?
>
> > No. I just enabled debugging (did not see this option before). Now I
get
> > many more lines.
> > I suspect these to be the important ones:
>
> > May  5 08:59:36 node002 puppet-master[16796]: (access[/]) adding
> > authentication any
> > May  5 08:59:36 node002 puppet-master[16796]: Inserting default
> > ''/status''(auth) acl because none where found in
''/etc/puppet/auth.conf''
> > May  5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting
to
> > no access for node002
>
> > [...]
>
> >> It doesn''t map to a filepath. Access is controlled via
auth.conf. You
> >> should have a section similar to:
>
> >> # allow nodes to retrieve their own catalog (ie their
configuration)
> >> path ~ ^/catalog/([^/]+)$
> >> method find
> >> allow $1
>
> > Ok, auth.conf was missing. But I copied the gems default conf file and
> > it''s still not working.
>
> >> Since you should not need to change it, I''m wondering do
you have the
> >> following [master] section in puppet.conf?
> >>   ssl_client_header = SSL_CLIENT_S_DN
> >>   ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> > No. There is no [master] section at all. And also in all example confs
> > there is no [master] section. Btw. this is version 2.6.4.
>
> > regards, Andreas
So in the puppet.conf I have, those ssl_client_* settings are actually
in the [user] section. I''m not 100% sure if that''s correct but
I''m
running 2.6.8 on mine and that appears to be one of the magic bits
needed.
Also in your apache config, add

  # The following client headers allow the same configuration to work
with Pound.
  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

That seems to be the other bit that actually passes the authentication
down the chain to puppet.

-Paul

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On May 5, 2:31 am, Andreas Kuntzagk <andreas.kuntz...@mdc-berlin.de>
wrote:
> Ok, seems that I have an authentication issue here.
> when I set (for all paths) "auth no" in auth.conf, it''s
working again.
> Maybe I set these options wrong in the apache.conf:
>
> SSLCertificateFile      /etc/puppet/ssl/certs/node002.pem
> SSLCertificateKeyFile   /etc/puppet/ssl/private_keys/node002.pem
>
> As far as I can tell these files match.
>
> regards, Andreas
>
> Andreas Kuntzagk wrote:
> > Hi,
>
> > Nan Liu wrote:
> >> On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
> >> <andreas.kuntz...@mdc-berlin.de> wrote:
> >>> Hi,
>
> >>> as suggested on the list I switched from the standalone
puppetmaster to
> >>> Passenger. I have passenger installed now and edited the
apache
> >>> config as
> >>> far as I understood. I restarted apache.
> >>> Now when I run an agent I get:
>
> >>> /var/lib/gems/1.8/bin/puppet agent --server node002 --test
> >>> err: Could not retrieve catalog from remote server: Error 403
on SERVER:
> >>> Forbidden request: node039(192.168.73.39) access to
/catalog/node039
> >>> [find]
> >>> at line 0
> >>> warning: Not using cache on failed catalog
> >>> err: Could not retrieve catalog; skipping run
>
> >>> In the server log I find this:
>
> >>> May  4 14:13:08 node002 puppet-master[14489]: Denying access:
Forbidden
> >>> request: node039(192.168.73.39) access to /catalog/node039
[find] at
> >>> line 0
> >>> May  4 14:13:08 node002 puppet-master[14489]: Forbidden
request:
> >>> node039(192.168.73.39) access to /catalog/node039 [find] at
line 0
>
> >> Not sure I can pinpoint your problem, is this all the output with
> >> debugging enabled in config.ru?
>
> > No. I just enabled debugging (did not see this option before). Now I
get
> > many more lines.
> > I suspect these to be the important ones:
>
> > May  5 08:59:36 node002 puppet-master[16796]: (access[/]) adding
> > authentication any
> > May  5 08:59:36 node002 puppet-master[16796]: Inserting default
> > ''/status''(auth) acl because none where found in
''/etc/puppet/auth.conf''
> > May  5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting
to
> > no access for node002
>
> > [...]
>
> >> It doesn''t map to a filepath. Access is controlled via
auth.conf. You
> >> should have a section similar to:
>
> >> # allow nodes to retrieve their own catalog (ie their
configuration)
> >> path ~ ^/catalog/([^/]+)$
> >> method find
> >> allow $1
>
> > Ok, auth.conf was missing. But I copied the gems default conf file and
> > it''s still not working.
>
> >> Since you should not need to change it, I''m wondering do
you have the
> >> following [master] section in puppet.conf?
> >>   ssl_client_header = SSL_CLIENT_S_DN
> >>   ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> > No. There is no [master] section at all. And also in all example confs
> > there is no [master] section. Btw. this is version 2.6.4.
>
> > regards, Andreas
So in the puppet.conf I have, those ssl_client_* settings are actually
in the [user] section. I''m not 100% sure if that''s correct but
I''m
running 2.6.8 on mine and that appears to be one of the magic bits
needed.
Also in your apache config, add

  # The following client headers allow the same configuration to work
with Pound.
  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

That seems to be the other bit that actually passes the authentication
down the chain to puppet.

-Paul

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On May 5, 2:31 am, Andreas Kuntzagk <andreas.kuntz...@mdc-berlin.de>
wrote:
> Ok, seems that I have an authentication issue here.
> when I set (for all paths) "auth no" in auth.conf, it''s
working again.
> Maybe I set these options wrong in the apache.conf:
>
> SSLCertificateFile      /etc/puppet/ssl/certs/node002.pem
> SSLCertificateKeyFile   /etc/puppet/ssl/private_keys/node002.pem
>
> As far as I can tell these files match.
>
> regards, Andreas
>
>
>
>
>
>
>
> Andreas Kuntzagk wrote:
> > Hi,
>
> > Nan Liu wrote:
> >> On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
> >> <andreas.kuntz...@mdc-berlin.de> wrote:
> >>> Hi,
>
> >>> as suggested on the list I switched from the standalone
puppetmaster to
> >>> Passenger. I have passenger installed now and edited the
apache
> >>> config as
> >>> far as I understood. I restarted apache.
> >>> Now when I run an agent I get:
>
> >>> /var/lib/gems/1.8/bin/puppet agent --server node002 --test
> >>> err: Could not retrieve catalog from remote server: Error 403
on SERVER:
> >>> Forbidden request: node039(192.168.73.39) access to
/catalog/node039
> >>> [find]
> >>> at line 0
> >>> warning: Not using cache on failed catalog
> >>> err: Could not retrieve catalog; skipping run
>
> >>> In the server log I find this:
>
> >>> May  4 14:13:08 node002 puppet-master[14489]: Denying access:
Forbidden
> >>> request: node039(192.168.73.39) access to /catalog/node039
[find] at
> >>> line 0
> >>> May  4 14:13:08 node002 puppet-master[14489]: Forbidden
request:
> >>> node039(192.168.73.39) access to /catalog/node039 [find] at
line 0
>
> >> Not sure I can pinpoint your problem, is this all the output with
> >> debugging enabled in config.ru?
>
> > No. I just enabled debugging (did not see this option before). Now I
get
> > many more lines.
> > I suspect these to be the important ones:
>
> > May  5 08:59:36 node002 puppet-master[16796]: (access[/]) adding
> > authentication any
> > May  5 08:59:36 node002 puppet-master[16796]: Inserting default
> > ''/status''(auth) acl because none where found in
''/etc/puppet/auth.conf''
> > May  5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting
to
> > no access for node002
>
> > [...]
>
> >> It doesn''t map to a filepath. Access is controlled via
auth.conf. You
> >> should have a section similar to:
>
> >> # allow nodes to retrieve their own catalog (ie their
configuration)
> >> path ~ ^/catalog/([^/]+)$
> >> method find
> >> allow $1
>
> > Ok, auth.conf was missing. But I copied the gems default conf file and
> > it''s still not working.
>
> >> Since you should not need to change it, I''m wondering do
you have the
> >> following [master] section in puppet.conf?
> >>   ssl_client_header = SSL_CLIENT_S_DN
> >>   ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> > No. There is no [master] section at all. And also in all example confs
> > there is no [master] section. Btw. this is version 2.6.4.
>
> > regards, Andreas

So in the puppet.conf I have, those ssl_client_* settings are actually
in the [user] section. I''m not 100% sure if that''s correct but
I''m
running 2.6.8 on mine and that appears to be one of the magic bits
needed.
Also in your apache config, add

  # The following client headers allow the same configuration to work
with Pound.
  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

That seems to be the other bit that actually passes the authentication
down the chain to puppet.

-Paul

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Sorry for the triple post, my work proxy was blocking the success
message it seems.


On May 10, 6:37 pm, Paul Collins <paul.collins....@gmail.com>
wrote:
> On May 5, 2:31 am, Andreas Kuntzagk <andreas.kuntz...@mdc-berlin.de>
> wrote:
>
>
>
>
>
> > Ok, seems that I have an authentication issue here.
> > when I set (for all paths) "auth no" in auth.conf,
it''s working again.
> > Maybe I set these options wrong in the apache.conf:
>
> > SSLCertificateFile      /etc/puppet/ssl/certs/node002.pem
> > SSLCertificateKeyFile   /etc/puppet/ssl/private_keys/node002.pem
>
> > As far as I can tell these files match.
>
> > regards, Andreas
>
> > Andreas Kuntzagk wrote:
> > > Hi,
>
> > > Nan Liu wrote:
> > >> On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
> > >> <andreas.kuntz...@mdc-berlin.de> wrote:
> > >>> Hi,
>
> > >>> as suggested on the list I switched from the standalone
puppetmaster to
> > >>> Passenger. I have passenger installed now and edited the
apache
> > >>> config as
> > >>> far as I understood. I restarted apache.
> > >>> Now when I run an agent I get:
>
> > >>> /var/lib/gems/1.8/bin/puppet agent --server node002
--test
> > >>> err: Could not retrieve catalog from remote server: Error
403 on SERVER:
> > >>> Forbidden request: node039(192.168.73.39) access to
/catalog/node039
> > >>> [find]
> > >>> at line 0
> > >>> warning: Not using cache on failed catalog
> > >>> err: Could not retrieve catalog; skipping run
>
> > >>> In the server log I find this:
>
> > >>> May  4 14:13:08 node002 puppet-master[14489]: Denying
access: Forbidden
> > >>> request: node039(192.168.73.39) access to
/catalog/node039 [find] at
> > >>> line 0
> > >>> May  4 14:13:08 node002 puppet-master[14489]: Forbidden
request:
> > >>> node039(192.168.73.39) access to /catalog/node039 [find]
at line 0
>
> > >> Not sure I can pinpoint your problem, is this all the output
with
> > >> debugging enabled in config.ru?
>
> > > No. I just enabled debugging (did not see this option before).
Now I get
> > > many more lines.
> > > I suspect these to be the important ones:
>
> > > May  5 08:59:36 node002 puppet-master[16796]: (access[/]) adding
> > > authentication any
> > > May  5 08:59:36 node002 puppet-master[16796]: Inserting default
> > > ''/status''(auth) acl because none where found in
''/etc/puppet/auth.conf''
> > > May  5 08:59:36 node002 puppet-master[16796]: (access[/])
defaulting to
> > > no access for node002
>
> > > [...]
>
> > >> It doesn''t map to a filepath. Access is controlled
via auth.conf. You
> > >> should have a section similar to:
>
> > >> # allow nodes to retrieve their own catalog (ie their
configuration)
> > >> path ~ ^/catalog/([^/]+)$
> > >> method find
> > >> allow $1
>
> > > Ok, auth.conf was missing. But I copied the gems default conf
file and
> > > it''s still not working.
>
> > >> Since you should not need to change it, I''m
wondering do you have the
> > >> following [master] section in puppet.conf?
> > >>   ssl_client_header = SSL_CLIENT_S_DN
> > >>   ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> > > No. There is no [master] section at all. And also in all example
confs
> > > there is no [master] section. Btw. this is version 2.6.4.
>
> > > regards, Andreas
>
> So in the puppet.conf I have, those ssl_client_* settings are actually
> in the [user] section. I''m not 100% sure if that''s
correct but I''m
> running 2.6.8 on mine and that appears to be one of the magic bits
> needed.
> Also in your apache config, add
>
>   # The following client headers allow the same configuration to work
> with Pound.
>   RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
>   RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
>   RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
>
> That seems to be the other bit that actually passes the authentication
> down the chain to puppet.
>
> -Paul
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.