Chris Doherty
2011-Sep-02 21:05 UTC
[Puppet Users] Starting httpd with Passenger on CentOS6 throws SSLCertificateFile does not exist or is empty error
Hi, all. I''m having a problem that I''m virtually certain is a
perms
issue, but I can''t figure out where it''s going wrong.
The puppetmaster server is a CentOS6 x64 minimal install.
Puppet was installed from the epel-testing repository (2.6.6-1) and an
updated SELinux policy loaded to allow it to run. Apache was
installed the standard way (yum install httpd mod_ssl).
Passenger was installed from the stealthymonkeys repository (3.0.8-2).
I''ve been following the instructions in Chapter 5 in Pro Puppet, but
when I configure /etc/httpd/conf.d/puppetmaster.conf and provide the
correct paths to the certificate files, then try to start the httpd
service, I get this:
# service httpd restart
Stopping httpd: [FAILED]
Starting httpd: Syntax error on line 22 of /etc/httpd/conf.d/
puppetmaster.conf:
SSLCertificateFile: file ''/var/lib/puppet/ssl/certs/
puppet.tst.mydomain.pem'' does not exist or is empty
[FAILED]
/var/lib/puppet/ssl/certs/puppet.tst.mydomain.com.pem most certainly
does exist, however:
[root@brllx097 ~]# ls -la /var/lib/puppet/ssl/certs/
puppet.tst.mydomain.com.pem
-rw-r-----. 1 puppet root 912 Sep 2 11:40 /var/lib/puppet/ssl/certs/
puppet.tst.mydomain.com.pem
So this is probably a perms issue, but I don''t know why. Apache
starts up as root, which has read access to the file, and the cert''s
owned by the puppet user. I don''t have to set my other certificates
as owned by the apache user for httpd to load them properly.
In this config, puppetmasterd starts up and runs fine by itself, so
it''s an Apache/passenger problem.
Any ideas what I''m doing wrong?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
devzero2000
2011-Sep-04 06:49 UTC
Re: [Puppet Users] Starting httpd with Passenger on CentOS6 throws SSLCertificateFile does not exist or is empty error
Just for being sure. Do you have selinux in enforcing mode ? What tell you the sestatus command ? And ausearch -m avc ? Regards 2011/9/2, Chris Doherty <cpdohert@gmail.com>:> Hi, all. I''m having a problem that I''m virtually certain is a perms > issue, but I can''t figure out where it''s going wrong. > > The puppetmaster server is a CentOS6 x64 minimal install. > > Puppet was installed from the epel-testing repository (2.6.6-1) and an > updated SELinux policy loaded to allow it to run. Apache was > installed the standard way (yum install httpd mod_ssl). > > Passenger was installed from the stealthymonkeys repository (3.0.8-2). > > I''ve been following the instructions in Chapter 5 in Pro Puppet, but > when I configure /etc/httpd/conf.d/puppetmaster.conf and provide the > correct paths to the certificate files, then try to start the httpd > service, I get this: > > # service httpd restart > Stopping httpd: [FAILED] > Starting httpd: Syntax error on line 22 of /etc/httpd/conf.d/ > puppetmaster.conf: > SSLCertificateFile: file ''/var/lib/puppet/ssl/certs/ > puppet.tst.mydomain.pem'' does not exist or is empty > [FAILED] > > /var/lib/puppet/ssl/certs/puppet.tst.mydomain.com.pem most certainly > does exist, however: > > [root@brllx097 ~]# ls -la /var/lib/puppet/ssl/certs/ > puppet.tst.mydomain.com.pem > -rw-r-----. 1 puppet root 912 Sep 2 11:40 /var/lib/puppet/ssl/certs/ > puppet.tst.mydomain.com.pem > > So this is probably a perms issue, but I don''t know why. Apache > starts up as root, which has read access to the file, and the cert''s > owned by the puppet user. I don''t have to set my other certificates > as owned by the apache user for httpd to load them properly. > > In this config, puppetmasterd starts up and runs fine by itself, so > it''s an Apache/passenger problem. > > Any ideas what I''m doing wrong? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- Inviato dal mio dispositivo mobile -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Iain Sutton
2011-Sep-05 06:23 UTC
Re: [Puppet Users] Starting httpd with Passenger on CentOS6 throws SSLCertificateFile does not exist or is empty error
SSLCertificateFile: file ''/var/lib/puppet/ssl/certs/puppet.tst.mydomain.pem'' [root@brllx097 ~]# ls -la /var/lib/puppet/ssl/certs/puppet.tst.mydomain.com.pem -rw-r-----. 1 puppet root 912 Sep 2 11:40 /var/lib/puppet/ssl/certs/puppet.tst.mydomain.com.pem Possibly a copy/paste/redact error (or I misread your post), but one file seems to be puppet.tst.mydomain.pem and the other one seems to be puppet.tst.mydomain.com.pem On 3 September 2011 07:05, Chris Doherty <cpdohert@gmail.com> wrote:> Hi, all. I''m having a problem that I''m virtually certain is a perms > issue, but I can''t figure out where it''s going wrong. > > The puppetmaster server is a CentOS6 x64 minimal install. > > Puppet was installed from the epel-testing repository (2.6.6-1) and an > updated SELinux policy loaded to allow it to run. Apache was > installed the standard way (yum install httpd mod_ssl). > > Passenger was installed from the stealthymonkeys repository (3.0.8-2). > > I''ve been following the instructions in Chapter 5 in Pro Puppet, but > when I configure /etc/httpd/conf.d/puppetmaster.conf and provide the > correct paths to the certificate files, then try to start the httpd > service, I get this: > > # service httpd restart > Stopping httpd: [FAILED] > Starting httpd: Syntax error on line 22 of /etc/httpd/conf.d/ > puppetmaster.conf: > SSLCertificateFile: file ''/var/lib/puppet/ssl/certs/ > puppet.tst.mydomain.pem'' does not exist or is empty > [FAILED] > > /var/lib/puppet/ssl/certs/puppet.tst.mydomain.com.pem most certainly > does exist, however: > > [root@brllx097 ~]# ls -la /var/lib/puppet/ssl/certs/ > puppet.tst.mydomain.com.pem > -rw-r-----. 1 puppet root 912 Sep 2 11:40 /var/lib/puppet/ssl/certs/ > puppet.tst.mydomain.com.pem > > So this is probably a perms issue, but I don''t know why. Apache > starts up as root, which has read access to the file, and the cert''s > owned by the puppet user. I don''t have to set my other certificates > as owned by the apache user for httpd to load them properly. > > In this config, puppetmasterd starts up and runs fine by itself, so > it''s an Apache/passenger problem. > > Any ideas what I''m doing wrong? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.