Stefan Midjich
2011-Jun-27 07:11 UTC
[Puppet Users] Permission denied on new Passenger install
I installed puppet-passenger from Debian apt and most of the
configuration files mentioned in my Pro Puppet book were already
created and the config.ru script even had the correct owner
permissions. I''m saying this so you''ll understand that I have
chapter
4 of the famous Apress book in front of me while I''m doing this and I
have no idea what I''ve missed.
This is the output when puppet agent -oDdv is run.
Jun 27 08:55:28 node00 puppet-agent[9861]:
Puppet::Type::User::ProviderPw: file pw does not exist
Jun 27 08:55:28 node00 puppet-agent[9861]:
Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does
not exist
Jun 27 08:55:28 node00 puppet-agent[9861]:
Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist
Jun 27 08:55:28 node00 puppet-agent[9861]:
Puppet::Type::User::ProviderLdap: true value when expecting false
Jun 27 08:55:28 node00 puppet-agent[9861]: Failed to load library
''selinux'' for feature ''selinux''
Jun 27 08:55:28 node00 puppet-agent[9861]:
Puppet::Type::File::ProviderMicrosoft_windows: feature
microsoft_windows is missing
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/certificate_requests]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/private_keys]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/public_keys]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
log]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/run/puppet/
agent.pid]) Autorequiring File[/var/run/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/certs/ca.pem]) Autorequiring File[/var/lib/puppet/ssl/certs]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
client_data]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
client_yaml]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/crl.pem]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
state]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/certs]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
state/graphs]) Autorequiring File[/var/lib/puppet/state]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
clientbucket]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
state/last_run_summary.yaml]) Autorequiring File[/var/lib/puppet/
state]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/private]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
facts]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
lib]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/etc/puppet/
puppet.conf]) Autorequiring File[/etc/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: Finishing transaction
69835232135480
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/certs]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/crl.pem]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/certificate_requests]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
log]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
lib]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
facts]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
state]) Autorequiring File[/var/lib/puppet]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/certs/ca.pem]) Autorequiring File[/var/lib/puppet/ssl/certs]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/private]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/private_keys]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
ssl/public_keys]) Autorequiring File[/var/lib/puppet/ssl]
Jun 27 08:55:28 node00 puppet-agent[9861]: Finishing transaction
69835233959160
Jun 27 08:55:28 node00 puppet-agent[9861]: Using cached
certificate for ca
Jun 27 08:55:28 node00 puppet-agent[9861]: Using cached
certificate for node00.swehack.localdomain
Jun 27 08:55:28 node00 puppet-agent[9861]: Finishing transaction
69835232882020
Jun 27 08:55:28 node00 puppet-agent[9861]: catalog supports
formats: b64_zlib_yaml dot marshal pson raw yaml; using pson
Jun 27 08:55:29 node00 puppet-master[9939]: Starting Puppet master
version 2.6.8
Jun 27 08:55:29 node00 puppet-master[9939]: Could not parse for
environment production: Permission denied - /etc/puppet/manifests/
site.pp on node node00.swehack.localdomain
Jun 27 08:55:29 node00 puppet-master[9939]: Could not parse for
environment production: Permission denied - /etc/puppet/manifests/
site.pp on node node00.swehack.localdomain
Jun 27 08:55:29 node00 puppet-agent[9861]: Could not retrieve
catalog from remote server: Error 400 on SERVER: Could not parse for
environment production: Permission denied - /etc/puppet/manifests/
site.pp on node node00.swehack.localdomain
Jun 27 08:55:29 node00 puppet-agent[9861]: Not using cache on
failed catalog
Jun 27 08:55:29 node00 puppet-agent[9861]: Could not retrieve
catalog; skipping run
Permissions on /etc/puppet/manifests is 0644 recursively. Just to be
on the safe side, even puppet configuration in /etc/puppet is readable
by world.
The above output comes after disabling auth in auth.conf by putting
auth no under the /catalog regex. If I re-enable auth I get this
output.
Jun 27 09:03:30 node00 puppet-agent[9968]: (/File[/var/lib/puppet/
state]) Autorequiring File[/var/lib/puppet]
Jun 27 09:03:30 node00 puppet-agent[9968]: Finishing transaction
70017548799140
Jun 27 09:03:30 node00 puppet-agent[9968]: Using cached
certificate for ca
Jun 27 09:03:30 node00 puppet-agent[9968]: Using cached
certificate for node00.swehack.localdomain
Jun 27 09:03:30 node00 puppet-agent[9968]: Finishing transaction
70017547722900
Jun 27 09:03:30 node00 puppet-agent[9968]: catalog supports
formats: b64_zlib_yaml dot marshal pson raw yaml; using pson
Jun 27 09:03:30 node00 puppet-master[9939]: Mon Jun 27 09:03:26
+0200 2011 vs Mon Jun 27 08:29:42 +0200 2011
Jun 27 09:03:30 node00 puppet-master[9939]: Denying access:
Forbidden request: node00.swehack.localdomain(172.16.248.136) access
to /catalog/node00.swehack.localdomain [find] at line 93
Jun 27 09:03:30 node00 puppet-master[9939]: Forbidden request:
node00.swehack.localdomain(172.16.248.136) access to /catalog/
node00.swehack.localdomain [find] at line 93
Jun 27 09:03:30 node00 puppet-agent[9968]: Could not retrieve
catalog from remote server: Error 403 on SERVER: Forbidden request:
node00.swehack.localdomain(172.16.248.136) access to /catalog/
node00.swehack.localdomain [find] at line 93
Jun 27 09:03:30 node00 puppet-agent[9968]: Not using cache on
failed catalog
Jun 27 09:03:30 node00 puppet-agent[9968]: Could not retrieve
catalog; skipping run
Line 93? Where?!
My auth.conf is also pretty standard but here''s the block regarding /
catalog.
# allow nodes to retrieve their own catalog (ie their
configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
I''ve also tried without the $ end of line character because I noticed
in the apache access log that the GET request actually has more stuff
at the end of the hostname.
"GET /production/catalog/node00.swehack.localdomain?facts=eNqFVlm..."
I''ve made sure to let puppetmaster create the certificates and all, I
really don''t get any certificate issues and I know how to re-create
them in the worst case.
The only thing that would differ here from a plain old vanilla Debian
with passenger installed through apt would be that I changed the
hostname of the machine after the installation and after the first
certificates were created. I felt it was important to mention this
because that means I have in fact re-created all the certs at least
once.
I''ve also grep''d for the old hostname to make sure
it''s not dormant
somewhere causing issues but I can''t find it. Except for in the
inventory.txt file but I deleted those old lines just to be on the
safe side.
I found a thread dealing with this, replied to it because I was
confused as to what the solution was. The thread in question mentioned
that http://groups.google.com/group/puppet-dev/msg/b15e1c93bbc70fdb
held the answer somehow.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Patrick
2011-Jun-27 08:34 UTC
Re: [Puppet Users] Permission denied on new Passenger install
I see 2 likely options: 1) You don''t have these lines in puppet.conf: #ssl_client_header = HTTP_SSL_CLIENT_S_DN #ssl_client_verify_header = HTTP_SSL_CLIENT_VERIFY and you didn''t put the equivelent lines in the apache config files. 2) You put the correct lines in the apache files and the puppet files which doesn''t work. Summery: You must change which headers puppet is looking for or what apache names those headers, but NOT both. On Jun 27, 2011, at 12:11 AM, Stefan Midjich wrote:> I installed puppet-passenger from Debian apt and most of the > configuration files mentioned in my Pro Puppet book were already > created and the config.ru script even had the correct owner > permissions. I''m saying this so you''ll understand that I have chapter > 4 of the famous Apress book in front of me while I''m doing this and I > have no idea what I''ve missed. > > This is the output when puppet agent -oDdv is run. > > Jun 27 08:55:28 node00 puppet-agent[9861]: > Puppet::Type::User::ProviderPw: file pw does not exist > Jun 27 08:55:28 node00 puppet-agent[9861]: > Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does > not exist > Jun 27 08:55:28 node00 puppet-agent[9861]: > Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist > Jun 27 08:55:28 node00 puppet-agent[9861]: > Puppet::Type::User::ProviderLdap: true value when expecting false > Jun 27 08:55:28 node00 puppet-agent[9861]: Failed to load library > ''selinux'' for feature ''selinux'' > Jun 27 08:55:28 node00 puppet-agent[9861]: > Puppet::Type::File::ProviderMicrosoft_windows: feature > microsoft_windows is missing > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/certificate_requests]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/private_keys]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/public_keys]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > log]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/run/puppet/ > agent.pid]) Autorequiring File[/var/run/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/certs/ca.pem]) Autorequiring File[/var/lib/puppet/ssl/certs] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > client_data]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > client_yaml]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/crl.pem]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > state]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/certs]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > state/graphs]) Autorequiring File[/var/lib/puppet/state] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > clientbucket]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > state/last_run_summary.yaml]) Autorequiring File[/var/lib/puppet/ > state] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/private]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > facts]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > lib]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/etc/puppet/ > puppet.conf]) Autorequiring File[/etc/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: Finishing transaction > 69835232135480 > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/certs]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/crl.pem]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/certificate_requests]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > log]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > lib]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > facts]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > state]) Autorequiring File[/var/lib/puppet] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/certs/ca.pem]) Autorequiring File[/var/lib/puppet/ssl/certs] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/private]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/private_keys]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/ > ssl/public_keys]) Autorequiring File[/var/lib/puppet/ssl] > Jun 27 08:55:28 node00 puppet-agent[9861]: Finishing transaction > 69835233959160 > Jun 27 08:55:28 node00 puppet-agent[9861]: Using cached > certificate for ca > Jun 27 08:55:28 node00 puppet-agent[9861]: Using cached > certificate for node00.swehack.localdomain > Jun 27 08:55:28 node00 puppet-agent[9861]: Finishing transaction > 69835232882020 > Jun 27 08:55:28 node00 puppet-agent[9861]: catalog supports > formats: b64_zlib_yaml dot marshal pson raw yaml; using pson > Jun 27 08:55:29 node00 puppet-master[9939]: Starting Puppet master > version 2.6.8 > Jun 27 08:55:29 node00 puppet-master[9939]: Could not parse for > environment production: Permission denied - /etc/puppet/manifests/ > site.pp on node node00.swehack.localdomain > Jun 27 08:55:29 node00 puppet-master[9939]: Could not parse for > environment production: Permission denied - /etc/puppet/manifests/ > site.pp on node node00.swehack.localdomain > Jun 27 08:55:29 node00 puppet-agent[9861]: Could not retrieve > catalog from remote server: Error 400 on SERVER: Could not parse for > environment production: Permission denied - /etc/puppet/manifests/ > site.pp on node node00.swehack.localdomain > Jun 27 08:55:29 node00 puppet-agent[9861]: Not using cache on > failed catalog > Jun 27 08:55:29 node00 puppet-agent[9861]: Could not retrieve > catalog; skipping run > > Permissions on /etc/puppet/manifests is 0644 recursively. Just to be > on the safe side, even puppet configuration in /etc/puppet is readable > by world. > > The above output comes after disabling auth in auth.conf by putting > auth no under the /catalog regex. If I re-enable auth I get this > output. > > Jun 27 09:03:30 node00 puppet-agent[9968]: (/File[/var/lib/puppet/ > state]) Autorequiring File[/var/lib/puppet] > Jun 27 09:03:30 node00 puppet-agent[9968]: Finishing transaction > 70017548799140 > Jun 27 09:03:30 node00 puppet-agent[9968]: Using cached > certificate for ca > Jun 27 09:03:30 node00 puppet-agent[9968]: Using cached > certificate for node00.swehack.localdomain > Jun 27 09:03:30 node00 puppet-agent[9968]: Finishing transaction > 70017547722900 > Jun 27 09:03:30 node00 puppet-agent[9968]: catalog supports > formats: b64_zlib_yaml dot marshal pson raw yaml; using pson > Jun 27 09:03:30 node00 puppet-master[9939]: Mon Jun 27 09:03:26 > +0200 2011 vs Mon Jun 27 08:29:42 +0200 2011 > Jun 27 09:03:30 node00 puppet-master[9939]: Denying access: > Forbidden request: node00.swehack.localdomain(172.16.248.136) access > to /catalog/node00.swehack.localdomain [find] at line 93 > Jun 27 09:03:30 node00 puppet-master[9939]: Forbidden request: > node00.swehack.localdomain(172.16.248.136) access to /catalog/ > node00.swehack.localdomain [find] at line 93 > Jun 27 09:03:30 node00 puppet-agent[9968]: Could not retrieve > catalog from remote server: Error 403 on SERVER: Forbidden request: > node00.swehack.localdomain(172.16.248.136) access to /catalog/ > node00.swehack.localdomain [find] at line 93 > Jun 27 09:03:30 node00 puppet-agent[9968]: Not using cache on > failed catalog > Jun 27 09:03:30 node00 puppet-agent[9968]: Could not retrieve > catalog; skipping run > > Line 93? Where?! > > My auth.conf is also pretty standard but here''s the block regarding / > catalog. > > # allow nodes to retrieve their own catalog (ie their > configuration) > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > I''ve also tried without the $ end of line character because I noticed > in the apache access log that the GET request actually has more stuff > at the end of the hostname. > > "GET /production/catalog/node00.swehack.localdomain?facts=eNqFVlm..." > > I''ve made sure to let puppetmaster create the certificates and all, I > really don''t get any certificate issues and I know how to re-create > them in the worst case. > > The only thing that would differ here from a plain old vanilla Debian > with passenger installed through apt would be that I changed the > hostname of the machine after the installation and after the first > certificates were created. I felt it was important to mention this > because that means I have in fact re-created all the certs at least > once. > > I''ve also grep''d for the old hostname to make sure it''s not dormant > somewhere causing issues but I can''t find it. Except for in the > inventory.txt file but I deleted those old lines just to be on the > safe side. > > I found a thread dealing with this, replied to it because I was > confused as to what the solution was. The thread in question mentioned > that http://groups.google.com/group/puppet-dev/msg/b15e1c93bbc70fdb > held the answer somehow. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Stefan Midjich
2011-Jun-27 12:58 UTC
Re: [Puppet Users] Permission denied on new Passenger install
This was in the puppet.conf by default when installed through apt.
[user]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
Here''s my entire puppet.conf.
[master]
confdir=/etc/puppet
manifestdir=$confdir/manifests
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
autosign=$confdir/autosign.conf
factpath=$vardir/lib/facter
templatedir=$confdir/templates
server = node00.swehack.localdomain
hostcsr = $ssldir/csr_node00.swehack.localdomain.pem
hostpubkey = $ssldir/public_keys/node00.swehack.localdomain.pem
hostcert = $ssldir/certs/node00.swehack.localdomain.pem
hostprivkey = $ssldir/private_keys/node00.swehack.localdomain.pem
ca_name = node00.swehack.localdomain
prerun_command=/etc/puppet/etckeeper-commit-pre
postrun_command=/etc/puppet/etckeeper-commit-post
[user]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
rundir=/var/run/puppet
vardir=/var/lib/puppet
statedir = $vardir/state
ssldir=/var/lib/puppet/ssl
privatekeydir = /var/lib/puppet/ssl/private_keys
cadir=$ssldir/ca
templatedir = /etc/puppet/templates
ignoreschedules = true
inventory_port = 8140
ca_port = 8140
statefile = /var/lib/puppet/state/state.yaml
classfile = /var/lib/puppet/state/classes.txt
report_port = 8140
server = node00.swehack.localdomain
lastrunfile = /var/lib/puppet/state/last_run_summary.yaml
pidfile = $rundir/agent.pid
config = /etc/puppet/puppet.conf
puppetdlog = /var/log/puppet/puppetd.log
daemonize = false
hostcert = /etc/puppet/ssl/certs/node00.swehack.localdomain.pem
hostcsr = /etc/puppet/ssl/csr_node00.swehack.localdomain.pem
hostprivkey = /etc/puppet/ssl/private_keys/node00.swehack.localdomain.pem
hostpubkey = /etc/puppet/ssl/public_keys/node00.swehack.localdomain.pem
I do not have those options set in the apache vhost. I have a working
configuration at work that I''ve taken over, hence my limited knowledge
in it, and this configuration also sets the SSL options you speak of
in puppet.conf instead of the vhost.
Here''s my vhost just for good measure, this is a closed network for
testing anyways so I have nothing to hide. :)
# Based on http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/node00.swehack.localdomain.pem
SSLCertificateFile /var/lib/puppet/ssl/certs/node00.swehack.localdomain.pem
SSLCACertificateFile /var/lib/puppet/ssl/certs/ca.pem
SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
# If Apache complains about invalid signatures on the CRL, you
can try disabling
# CRL checking by commenting the next line, but this is not recommended.
#SSLCARevocationFile /var/lib/puppet/ssl/crl.pem
# Set to require if this puppetmaster doesn''t issue
certificates
# to puppet clients.
# NB: this requires SSLCACertificateFile
/var/lib/puppet/ssl/certs/ca.pem
# issuing puppet client certificate.
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# This is useful for Pound proxying
#RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
#RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
# Passenger options that can be set in a virtual host
# configuration block.
PassengerMaxPoolSize 15
PassengerUseGlobalQueue on
PassengerMaxRequests 10000
PassengerHighPerformance on
PassengerStatThrottleRate 120
PassengerUseGlobalQueue on
RackAutoDetect Off
RailsAutoDetect Off
RackBaseURI /
DocumentRoot /usr/share/puppet/rack/puppetmasterd/public
<Directory /usr/share/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
And in the /usr/share/puppet/rack/puppetmasterd directory is where the
config.ru script is.
2011/6/27 Patrick <kc7zzv@gmail.com>:> I see 2 likely options:
> 1) You don''t have these lines in puppet.conf:
> #ssl_client_header = HTTP_SSL_CLIENT_S_DN
> #ssl_client_verify_header = HTTP_SSL_CLIENT_VERIFY
>
> and you didn''t put the equivelent lines in the apache config
files.
>
> 2) You put the correct lines in the apache files and the puppet files which
doesn''t work.
>
> Summery: You must change which headers puppet is looking for or what apache
names those headers, but NOT both.
>
> On Jun 27, 2011, at 12:11 AM, Stefan Midjich wrote:
>
>> I installed puppet-passenger from Debian apt and most of the
>> configuration files mentioned in my Pro Puppet book were already
>> created and the config.ru script even had the correct owner
>> permissions. I''m saying this so you''ll understand
that I have chapter
>> 4 of the famous Apress book in front of me while I''m doing
this and I
>> have no idea what I''ve missed.
>>
>> This is the output when puppet agent -oDdv is run.
>>
>> Jun 27 08:55:28 node00 puppet-agent[9861]:
>> Puppet::Type::User::ProviderPw: file pw does not exist
>> Jun 27 08:55:28 node00 puppet-agent[9861]:
>> Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does
>> not exist
>> Jun 27 08:55:28 node00 puppet-agent[9861]:
>> Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist
>> Jun 27 08:55:28 node00 puppet-agent[9861]:
>> Puppet::Type::User::ProviderLdap: true value when expecting false
>> Jun 27 08:55:28 node00 puppet-agent[9861]: Failed to load library
>> ''selinux'' for feature ''selinux''
>> Jun 27 08:55:28 node00 puppet-agent[9861]:
>> Puppet::Type::File::ProviderMicrosoft_windows: feature
>> microsoft_windows is missing
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/certificate_requests]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/private_keys]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/public_keys]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> log]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/run/puppet/
>> agent.pid]) Autorequiring File[/var/run/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/certs/ca.pem]) Autorequiring File[/var/lib/puppet/ssl/certs]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> client_data]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> client_yaml]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/crl.pem]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> state]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/certs]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> state/graphs]) Autorequiring File[/var/lib/puppet/state]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> clientbucket]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> state/last_run_summary.yaml]) Autorequiring File[/var/lib/puppet/
>> state]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/private]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> facts]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> lib]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/etc/puppet/
>> puppet.conf]) Autorequiring File[/etc/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: Finishing transaction
>> 69835232135480
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/certs]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/crl.pem]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/certificate_requests]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> log]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> lib]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> facts]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> state]) Autorequiring File[/var/lib/puppet]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/certs/ca.pem]) Autorequiring File[/var/lib/puppet/ssl/certs]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/private]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/private_keys]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: (/File[/var/lib/puppet/
>> ssl/public_keys]) Autorequiring File[/var/lib/puppet/ssl]
>> Jun 27 08:55:28 node00 puppet-agent[9861]: Finishing transaction
>> 69835233959160
>> Jun 27 08:55:28 node00 puppet-agent[9861]: Using cached
>> certificate for ca
>> Jun 27 08:55:28 node00 puppet-agent[9861]: Using cached
>> certificate for node00.swehack.localdomain
>> Jun 27 08:55:28 node00 puppet-agent[9861]: Finishing transaction
>> 69835232882020
>> Jun 27 08:55:28 node00 puppet-agent[9861]: catalog supports
>> formats: b64_zlib_yaml dot marshal pson raw yaml; using pson
>> Jun 27 08:55:29 node00 puppet-master[9939]: Starting Puppet master
>> version 2.6.8
>> Jun 27 08:55:29 node00 puppet-master[9939]: Could not parse for
>> environment production: Permission denied - /etc/puppet/manifests/
>> site.pp on node node00.swehack.localdomain
>> Jun 27 08:55:29 node00 puppet-master[9939]: Could not parse for
>> environment production: Permission denied - /etc/puppet/manifests/
>> site.pp on node node00.swehack.localdomain
>> Jun 27 08:55:29 node00 puppet-agent[9861]: Could not retrieve
>> catalog from remote server: Error 400 on SERVER: Could not parse for
>> environment production: Permission denied - /etc/puppet/manifests/
>> site.pp on node node00.swehack.localdomain
>> Jun 27 08:55:29 node00 puppet-agent[9861]: Not using cache on
>> failed catalog
>> Jun 27 08:55:29 node00 puppet-agent[9861]: Could not retrieve
>> catalog; skipping run
>>
>> Permissions on /etc/puppet/manifests is 0644 recursively. Just to be
>> on the safe side, even puppet configuration in /etc/puppet is readable
>> by world.
>>
>> The above output comes after disabling auth in auth.conf by putting
>> auth no under the /catalog regex. If I re-enable auth I get this
>> output.
>>
>> Jun 27 09:03:30 node00 puppet-agent[9968]: (/File[/var/lib/puppet/
>> state]) Autorequiring File[/var/lib/puppet]
>> Jun 27 09:03:30 node00 puppet-agent[9968]: Finishing transaction
>> 70017548799140
>> Jun 27 09:03:30 node00 puppet-agent[9968]: Using cached
>> certificate for ca
>> Jun 27 09:03:30 node00 puppet-agent[9968]: Using cached
>> certificate for node00.swehack.localdomain
>> Jun 27 09:03:30 node00 puppet-agent[9968]: Finishing transaction
>> 70017547722900
>> Jun 27 09:03:30 node00 puppet-agent[9968]: catalog supports
>> formats: b64_zlib_yaml dot marshal pson raw yaml; using pson
>> Jun 27 09:03:30 node00 puppet-master[9939]: Mon Jun 27 09:03:26
>> +0200 2011 vs Mon Jun 27 08:29:42 +0200 2011
>> Jun 27 09:03:30 node00 puppet-master[9939]: Denying access:
>> Forbidden request: node00.swehack.localdomain(172.16.248.136) access
>> to /catalog/node00.swehack.localdomain [find] at line 93
>> Jun 27 09:03:30 node00 puppet-master[9939]: Forbidden request:
>> node00.swehack.localdomain(172.16.248.136) access to /catalog/
>> node00.swehack.localdomain [find] at line 93
>> Jun 27 09:03:30 node00 puppet-agent[9968]: Could not retrieve
>> catalog from remote server: Error 403 on SERVER: Forbidden request:
>> node00.swehack.localdomain(172.16.248.136) access to /catalog/
>> node00.swehack.localdomain [find] at line 93
>> Jun 27 09:03:30 node00 puppet-agent[9968]: Not using cache on
>> failed catalog
>> Jun 27 09:03:30 node00 puppet-agent[9968]: Could not retrieve
>> catalog; skipping run
>>
>> Line 93? Where?!
>>
>> My auth.conf is also pretty standard but here''s the block
regarding /
>> catalog.
>>
>> # allow nodes to retrieve their own catalog (ie their
>> configuration)
>> path ~ ^/catalog/([^/]+)$
>> method find
>> allow $1
>>
>> I''ve also tried without the $ end of line character because I
noticed
>> in the apache access log that the GET request actually has more stuff
>> at the end of the hostname.
>>
>> "GET
/production/catalog/node00.swehack.localdomain?facts=eNqFVlm..."
>>
>> I''ve made sure to let puppetmaster create the certificates and
all, I
>> really don''t get any certificate issues and I know how to
re-create
>> them in the worst case.
>>
>> The only thing that would differ here from a plain old vanilla Debian
>> with passenger installed through apt would be that I changed the
>> hostname of the machine after the installation and after the first
>> certificates were created. I felt it was important to mention this
>> because that means I have in fact re-created all the certs at least
>> once.
>>
>> I''ve also grep''d for the old hostname to make sure
it''s not dormant
>> somewhere causing issues but I can''t find it. Except for in
the
>> inventory.txt file but I deleted those old lines just to be on the
>> safe side.
>>
>> I found a thread dealing with this, replied to it because I was
>> confused as to what the solution was. The thread in question mentioned
>> that http://groups.google.com/group/puppet-dev/msg/b15e1c93bbc70fdb
>> held the answer somehow.
>>
>> --
>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
--
Med vänliga hälsningar / With kind regards
Stefan Midjich
http://swehack.se/
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.