Hello!
Are there any success stories with nginx, passenger and puppetmaster?
I''m trying to setup mentioned scheme and have problems - client cannot
get its own catalog (removed only hostnames and domain names)
err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/
puppethost [find] at line 93
info: Not using expired catalog for puppethost from cache; expired at
Fri Jun 01 17:33:24 +0000 2012
notice: Using cached catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: Error 403 on SERVER: Forbidden request:
puppethost(10.88.5.254) access to /report/puppethost [save] at line 93
on nginx side it looks this way
10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/
puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108
"-"
"-"
10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/
puppethost HTTP/1.1" 403 107 "-" "-"
my nginx configs
# cat /etc/nginx/conf.d/passenger.conf
passenger_root /usr/lib/ruby/1.8/phusion_passenger;
# cat /etc/nginx/conf.d/puppet.conf
server {
listen 8140 ssl;
server_name puppetmaster.domain;
default_type application/x-raw;
ssl on;
root /etc/puppet/rack/public;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
access_log /var/log/nginx/puppet_access.log;
error_log /var/log/nginx/puppet_error.log;
ssl_certificate /var/lib/puppet/ssl/certs/
puppetmaster.domain.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/
puppetmaster.domain.pem;
#ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:+MEDIUM;
ssl_prefer_server_ciphers on;
ssl_verify_client optional;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
ssl_session_timeout 5m;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
}
but it works fine with default puppetmaster startup script, i.e. on
webrick
also i have succesfully configured standalone puppetmaster and apache
+ passenger, but in this case i''m at a loss.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Hi, Check file permission of /etc/puppet/rack/public/config.ru and restart Nginx. The user/group must be "puppet". Take a look at http://binbash.fr/2012/01/16/installer-un-serveur-puppet-scalable-partie-2/ (in french). Regards On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:> > Hello! > > Are there any success stories with nginx, passenger and puppetmaster? > > I''m trying to setup mentioned scheme and have problems - client cannot > get its own catalog (removed only hostnames and domain names) > > err: Could not retrieve catalog from remote server: Error 403 on > SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/ > puppethost [find] at line 93 > info: Not using expired catalog for puppethost from cache; expired at > Fri Jun 01 17:33:24 +0000 2012 > notice: Using cached catalog > err: Could not retrieve catalog; skipping run > err: Could not send report: Error 403 on SERVER: Forbidden request: > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93 > > on nginx side it looks this way > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/ > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-" > "-" > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/ > puppethost HTTP/1.1" 403 107 "-" "-" > > my nginx configs > # cat /etc/nginx/conf.d/passenger.conf > passenger_root /usr/lib/ruby/1.8/phusion_passenger; > > # cat /etc/nginx/conf.d/puppet.conf > server { > listen 8140 ssl; > server_name puppetmaster.domain; > default_type application/x-raw; > ssl on; > > root /etc/puppet/rack/public; > passenger_enabled on; > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > access_log /var/log/nginx/puppet_access.log; > error_log /var/log/nginx/puppet_error.log; > > ssl_certificate /var/lib/puppet/ssl/certs/ > puppetmaster.domain.pem; > ssl_certificate_key /var/lib/puppet/ssl/private_keys/ > puppetmaster.domain.pem; > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > ssl_protocols SSLv3 TLSv1; > ssl_ciphers HIGH:+MEDIUM; > ssl_prefer_server_ciphers on; > ssl_verify_client optional; > ssl_verify_depth 1; > ssl_session_cache shared:SSL:128m; > ssl_session_timeout 5m; > > proxy_redirect off; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Client-Verify $ssl_client_verify; > proxy_set_header X-Client-DN $ssl_client_s_dn; > proxy_set_header X-SSL-Subject $ssl_client_s_dn; > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; > } > > but it works fine with default puppetmaster startup script, i.e. on > webrick > also i have succesfully configured standalone puppetmaster and apache > + passenger, but in this case i''m at a loss.On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:> > Hello! > > Are there any success stories with nginx, passenger and puppetmaster? > > I''m trying to setup mentioned scheme and have problems - client cannot > get its own catalog (removed only hostnames and domain names) > > err: Could not retrieve catalog from remote server: Error 403 on > SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/ > puppethost [find] at line 93 > info: Not using expired catalog for puppethost from cache; expired at > Fri Jun 01 17:33:24 +0000 2012 > notice: Using cached catalog > err: Could not retrieve catalog; skipping run > err: Could not send report: Error 403 on SERVER: Forbidden request: > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93 > > on nginx side it looks this way > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/ > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-" > "-" > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/ > puppethost HTTP/1.1" 403 107 "-" "-" > > my nginx configs > # cat /etc/nginx/conf.d/passenger.conf > passenger_root /usr/lib/ruby/1.8/phusion_passenger; > > # cat /etc/nginx/conf.d/puppet.conf > server { > listen 8140 ssl; > server_name puppetmaster.domain; > default_type application/x-raw; > ssl on; > > root /etc/puppet/rack/public; > passenger_enabled on; > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > access_log /var/log/nginx/puppet_access.log; > error_log /var/log/nginx/puppet_error.log; > > ssl_certificate /var/lib/puppet/ssl/certs/ > puppetmaster.domain.pem; > ssl_certificate_key /var/lib/puppet/ssl/private_keys/ > puppetmaster.domain.pem; > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > ssl_protocols SSLv3 TLSv1; > ssl_ciphers HIGH:+MEDIUM; > ssl_prefer_server_ciphers on; > ssl_verify_client optional; > ssl_verify_depth 1; > ssl_session_cache shared:SSL:128m; > ssl_session_timeout 5m; > > proxy_redirect off; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Client-Verify $ssl_client_verify; > proxy_set_header X-Client-DN $ssl_client_s_dn; > proxy_set_header X-SSL-Subject $ssl_client_s_dn; > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; > } > > but it works fine with default puppetmaster startup script, i.e. on > webrick > also i have succesfully configured standalone puppetmaster and apache > + passenger, but in this case i''m at a loss.On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:> > Hello! > > Are there any success stories with nginx, passenger and puppetmaster? > > I''m trying to setup mentioned scheme and have problems - client cannot > get its own catalog (removed only hostnames and domain names) > > err: Could not retrieve catalog from remote server: Error 403 on > SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/ > puppethost [find] at line 93 > info: Not using expired catalog for puppethost from cache; expired at > Fri Jun 01 17:33:24 +0000 2012 > notice: Using cached catalog > err: Could not retrieve catalog; skipping run > err: Could not send report: Error 403 on SERVER: Forbidden request: > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93 > > on nginx side it looks this way > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/ > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-" > "-" > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/ > puppethost HTTP/1.1" 403 107 "-" "-" > > my nginx configs > # cat /etc/nginx/conf.d/passenger.conf > passenger_root /usr/lib/ruby/1.8/phusion_passenger; > > # cat /etc/nginx/conf.d/puppet.conf > server { > listen 8140 ssl; > server_name puppetmaster.domain; > default_type application/x-raw; > ssl on; > > root /etc/puppet/rack/public; > passenger_enabled on; > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > access_log /var/log/nginx/puppet_access.log; > error_log /var/log/nginx/puppet_error.log; > > ssl_certificate /var/lib/puppet/ssl/certs/ > puppetmaster.domain.pem; > ssl_certificate_key /var/lib/puppet/ssl/private_keys/ > puppetmaster.domain.pem; > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > ssl_protocols SSLv3 TLSv1; > ssl_ciphers HIGH:+MEDIUM; > ssl_prefer_server_ciphers on; > ssl_verify_client optional; > ssl_verify_depth 1; > ssl_session_cache shared:SSL:128m; > ssl_session_timeout 5m; > > proxy_redirect off; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Client-Verify $ssl_client_verify; > proxy_set_header X-Client-DN $ssl_client_s_dn; > proxy_set_header X-SSL-Subject $ssl_client_s_dn; > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; > } > > but it works fine with default puppetmaster startup script, i.e. on > webrick > also i have succesfully configured standalone puppetmaster and apache > + passenger, but in this case i''m at a loss.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/KZTR7jFcGcwJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thanks, Rémi But this is already this way # ls -l /etc/puppet/rack/config.ru -rw-r--r-- 1 puppet puppet 432 2012-06-01 13:25 /etc/puppet/rack/ config.ru for me it solved with adding auth no allow * to every record in /etc/puppet/auth.conf but i''m sure this is not good idea. I still can''t understand why it (permissions from auth.conf) works with apache, but not nginx. i would rather suppose that real ip address not available in ruby application (it sees it as ip of puppetmaster), but have no idea how to check it... any suggestion will be appreciated On Jun 4, 6:05 pm, Rémi <ere...@gmail.com> wrote:> Hi, > > Check file permission of /etc/puppet/rack/public/config.ru and restart > Nginx. The user/group must be "puppet". > Take a look athttp://binbash.fr/2012/01/16/installer-un-serveur-puppet-scalable-par... > (in french). > > Regards > > > > > > > > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote: > > > Hello! > > > Are there any success stories with nginx, passenger and puppetmaster? > > > I''m trying to setup mentioned scheme and have problems - client cannot > > get its own catalog (removed only hostnames and domain names) > > > err: Could not retrieve catalog from remote server: Error 403 on > > SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/ > > puppethost [find] at line 93 > > info: Not using expired catalog for puppethost from cache; expired at > > Fri Jun 01 17:33:24 +0000 2012 > > notice: Using cached catalog > > err: Could not retrieve catalog; skipping run > > err: Could not send report: Error 403 on SERVER: Forbidden request: > > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93 > > > on nginx side it looks this way > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/ > > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-" > > "-" > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/ > > puppethost HTTP/1.1" 403 107 "-" "-" > > > my nginx configs > > # cat /etc/nginx/conf.d/passenger.conf > > passenger_root /usr/lib/ruby/1.8/phusion_passenger; > > > # cat /etc/nginx/conf.d/puppet.conf > > server { > > listen 8140 ssl; > > server_name puppetmaster.domain; > > default_type application/x-raw; > > ssl on; > > > root /etc/puppet/rack/public; > > passenger_enabled on; > > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > > access_log /var/log/nginx/puppet_access.log; > > error_log /var/log/nginx/puppet_error.log; > > > ssl_certificate /var/lib/puppet/ssl/certs/ > > puppetmaster.domain.pem; > > ssl_certificate_key /var/lib/puppet/ssl/private_keys/ > > puppetmaster.domain.pem; > > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > > ssl_protocols SSLv3 TLSv1; > > ssl_ciphers HIGH:+MEDIUM; > > ssl_prefer_server_ciphers on; > > ssl_verify_client optional; > > ssl_verify_depth 1; > > ssl_session_cache shared:SSL:128m; > > ssl_session_timeout 5m; > > > proxy_redirect off; > > proxy_set_header Host $host; > > proxy_set_header X-Real-IP $remote_addr; > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > proxy_set_header X-Client-Verify $ssl_client_verify; > > proxy_set_header X-Client-DN $ssl_client_s_dn; > > proxy_set_header X-SSL-Subject $ssl_client_s_dn; > > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; > > } > > > but it works fine with default puppetmaster startup script, i.e. on > > webrick > > also i have succesfully configured standalone puppetmaster and apache > > + passenger, but in this case i''m at a loss. > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote: > > > Hello! > > > Are there any success stories with nginx, passenger and puppetmaster? > > > I''m trying to setup mentioned scheme and have problems - client cannot > > get its own catalog (removed only hostnames and domain names) > > > err: Could not retrieve catalog from remote server: Error 403 on > > SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/ > > puppethost [find] at line 93 > > info: Not using expired catalog for puppethost from cache; expired at > > Fri Jun 01 17:33:24 +0000 2012 > > notice: Using cached catalog > > err: Could not retrieve catalog; skipping run > > err: Could not send report: Error 403 on SERVER: Forbidden request: > > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93 > > > on nginx side it looks this way > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/ > > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-" > > "-" > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/ > > puppethost HTTP/1.1" 403 107 "-" "-" > > > my nginx configs > > # cat /etc/nginx/conf.d/passenger.conf > > passenger_root /usr/lib/ruby/1.8/phusion_passenger; > > > # cat /etc/nginx/conf.d/puppet.conf > > server { > > listen 8140 ssl; > > server_name puppetmaster.domain; > > default_type application/x-raw; > > ssl on; > > > root /etc/puppet/rack/public; > > passenger_enabled on; > > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > > access_log /var/log/nginx/puppet_access.log; > > error_log /var/log/nginx/puppet_error.log; > > > ssl_certificate /var/lib/puppet/ssl/certs/ > > puppetmaster.domain.pem; > > ssl_certificate_key /var/lib/puppet/ssl/private_keys/ > > puppetmaster.domain.pem; > > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > > ssl_protocols SSLv3 TLSv1; > > ssl_ciphers HIGH:+MEDIUM; > > ssl_prefer_server_ciphers on; > > ssl_verify_client optional; > > ssl_verify_depth 1; > > ssl_session_cache shared:SSL:128m; > > ssl_session_timeout 5m; > > > proxy_redirect off; > > proxy_set_header Host $host; > > proxy_set_header X-Real-IP $remote_addr; > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > proxy_set_header X-Client-Verify $ssl_client_verify; > > proxy_set_header X-Client-DN $ssl_client_s_dn; > > proxy_set_header X-SSL-Subject $ssl_client_s_dn; > > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; > > } > > > but it works fine with default puppetmaster startup script, i.e. on > > webrick > > also i have succesfully configured standalone puppetmaster and apache > > + passenger, but in this case i''m at a loss. > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote: > > > Hello! > > > Are there any success stories with nginx, passenger and puppetmaster? > > > I''m trying to setup mentioned scheme and have problems - client cannot > > get its own catalog (removed only hostnames and domain names) > > > err: Could not retrieve catalog from remote server: Error 403 on > > SERVER: Forbidden request: puppethost (10.88.5.254) access to /catalog/ > > puppethost [find] at line 93 > > info: Not using expired catalog for puppethost from cache; expired at > > Fri Jun 01 17:33:24 +0000 2012 > > notice: Using cached catalog > > err: Could not retrieve catalog; skipping run > > err: Could not send report: Error 403 on SERVER: Forbidden request: > > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93 > > > on nginx side it looks this way > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/ > > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-" > > "-" > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/ > > puppethost HTTP/1.1" 403 107 "-" "-" > > > my nginx configs > > # cat /etc/nginx/conf.d/passenger.conf > > passenger_root /usr/lib/ruby/1.8/phusion_passenger; > > > # cat /etc/nginx/conf.d/puppet.conf > > server { > > listen 8140 ssl; > > server_name puppetmaster.domain; > > default_type application/x-raw; > > ssl on; > > > root /etc/puppet/rack/public; > > passenger_enabled on; > > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > > access_log /var/log/nginx/puppet_access.log; > > error_log /var/log/nginx/puppet_error.log; > > > ssl_certificate /var/lib/puppet/ssl/certs/ > > puppetmaster.domain.pem; > > ssl_certificate_key /var/lib/puppet/ssl/private_keys/ > > puppetmaster.domain.pem; > > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > > ssl_protocols SSLv3 TLSv1; > > ssl_ciphers HIGH:+MEDIUM; > > ssl_prefer_server_ciphers on; > > ssl_verify_client optional; > > ssl_verify_depth 1; > > ssl_session_cache shared:SSL:128m; > > ssl_session_timeout 5m; > > > proxy_redirect off; > > proxy_set_header Host $host; > > proxy_set_header X-Real-IP $remote_addr; > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > proxy_set_header X-Client-Verify $ssl_client_verify; > > proxy_set_header X-Client-DN $ssl_client_s_dn; > > proxy_set_header X-SSL-Subject $ssl_client_s_dn; > > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; > > } > > > but it works fine with default puppetmaster startup script, i.e. on > > webrick > > also i have succesfully configured standalone puppetmaster and apache > > + passenger, but in this case i''m at a loss.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Ok. No problem for me with Nginx.
So this is configuration, if you want to compare with yours :
*nginx.conf :*
worker_processes 4;
events {
worker_connections 1024;
}
http {
passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-3.0.11;
passenger_ruby /usr/bin/ruby;
passenger_use_global_queue on;
passenger_max_pool_size 15;
passenger_pool_idle_time 300;
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
# KeepAlive
keepalive_timeout 65;
tcp_nodelay on;
server {
listen 8140 ssl;
server_name puppetmaster.x.x;
passenger_enabled on;
passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
access_log /var/log/nginx/puppetmaster.access.log;
error_log /var/log/nginx/puppetmaster.error.log;
root /var/www/puppetmaster/public;
ssl_certificate /var/lib/puppet/ssl/certs/puppet.x.x.pem;
ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.x.x.pem;
ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA;
ssl_prefer_server_ciphers on;
ssl_verify_client optional;
ssl_verify_depth 1;
ssl_session_cache shared:SSL:128m;
ssl_session_timeout 5m;
}
}
*/etc/puppet/auth.conf :*
# Allow authenticated nodes to retrieve their own catalogs:
path ~ ^/catalog/([^/]+)$
method find
allow $1
# Allow authenticated nodes to access any file services --- in practice,
this results in fileserver.conf being consulted:
path /file
allow *
# Allow authenticated nodes to access the certificate revocation list:
path /certificate_revocation_list/ca
method find
allow *
# Allow authenticated nodes to send reports:
path /report
method save
allow *
# Allow unauthenticated access to certificates:
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
# Allow unauthenticated nodes to submit certificate signing requests:
path /certificate_request
auth no
method find, save
allow *
# Exec Puppet
path /run
method save
allow puppet.x.x
# Facts
path /facts
auth any
method find, search, save
allow dashboard.x.x
path /facts_search
auth any
method find, search, save
allow dashbord.x.x
# Deny all other requests:
path /
auth any
I hope this helps.
On Tuesday, June 5, 2012 1:47:14 PM UTC+2, vulzscht
wrote:>
> Thanks, Rémi
>
> But this is already this way
> # ls -l /etc/puppet/rack/config.ru
> -rw-r--r-- 1 puppet puppet 432 2012-06-01 13:25 /etc/puppet/rack/
> config.ru
>
> for me it solved with adding
> auth no
> allow *
> to every record in /etc/puppet/auth.conf
>
> but i''m sure this is not good idea. I still can''t
understand why it
> (permissions from auth.conf) works with apache, but not nginx.
> i would rather suppose that real ip address not available in ruby
> application (it sees it as ip of puppetmaster), but have no idea how
> to check it...
> any suggestion will be appreciated
>
>
> On Jun 4, 6:05 pm, Rémi <ere...@gmail.com> wrote:
> > Hi,
> >
> > Check file permission of /etc/puppet/rack/public/config.ru and restart
> > Nginx. The user/group must be "puppet".
> > Take a look athttp://
> binbash.fr/2012/01/16/installer-un-serveur-puppet-scalable-par...
> > (in french).
> >
> > Regards
> >
> >
> >
> >
> >
> >
> >
> > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:
> >
> > > Hello!
> >
> > > Are there any success stories with nginx, passenger and
puppetmaster?
> >
> > > I''m trying to setup mentioned scheme and have problems -
client cannot
> > > get its own catalog (removed only hostnames and domain names)
> >
> > > err: Could not retrieve catalog from remote server: Error 403 on
> > > SERVER: Forbidden request: puppethost (10.88.5.254) access to
> /catalog/
> > > puppethost [find] at line 93
> > > info: Not using expired catalog for puppethost from cache;
expired at
> > > Fri Jun 01 17:33:24 +0000 2012
> > > notice: Using cached catalog
> > > err: Could not retrieve catalog; skipping run
> > > err: Could not send report: Error 403 on SERVER: Forbidden
request:
> > > puppethost(10.88.5.254) access to /report/puppethost [save] at
line 93
> >
> > > on nginx side it looks this way
> > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET
/production/catalog/
> > > puppethost?facts=...&facts_format=b64_zlib_yaml
HTTP/1.1" 403 108 "-"
> > > "-"
> > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT
/production/report/
> > > puppethost HTTP/1.1" 403 107 "-" "-"
> >
> > > my nginx configs
> > > # cat /etc/nginx/conf.d/passenger.conf
> > > passenger_root /usr/lib/ruby/1.8/phusion_passenger;
> >
> > > # cat /etc/nginx/conf.d/puppet.conf
> > > server {
> > > listen 8140 ssl;
> > > server_name puppetmaster.domain;
> > > default_type application/x-raw;
> > > ssl on;
> >
> > > root /etc/puppet/rack/public;
> > > passenger_enabled on;
> > > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
> > > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY
$ssl_client_verify;
> >
> > > access_log /var/log/nginx/puppet_access.log;
> > > error_log /var/log/nginx/puppet_error.log;
> >
> > > ssl_certificate /var/lib/puppet/ssl/certs/
> > > puppetmaster.domain.pem;
> > > ssl_certificate_key /var/lib/puppet/ssl/private_keys/
> > > puppetmaster.domain.pem;
> > > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
> > > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
> > > ssl_protocols SSLv3 TLSv1;
> > > ssl_ciphers HIGH:+MEDIUM;
> > > ssl_prefer_server_ciphers on;
> > > ssl_verify_client optional;
> > > ssl_verify_depth 1;
> > > ssl_session_cache shared:SSL:128m;
> > > ssl_session_timeout 5m;
> >
> > > proxy_redirect off;
> > > proxy_set_header Host $host;
> > > proxy_set_header X-Real-IP $remote_addr;
> > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > > proxy_set_header X-Client-Verify $ssl_client_verify;
> > > proxy_set_header X-Client-DN $ssl_client_s_dn;
> > > proxy_set_header X-SSL-Subject $ssl_client_s_dn;
> > > proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
> > > }
> >
> > > but it works fine with default puppetmaster startup script, i.e.
on
> > > webrick
> > > also i have succesfully configured standalone puppetmaster and
apache
> > > + passenger, but in this case i''m at a loss.
> > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:
> >
> > > Hello!
> >
> > > Are there any success stories with nginx, passenger and
puppetmaster?
> >
> > > I''m trying to setup mentioned scheme and have problems -
client cannot
> > > get its own catalog (removed only hostnames and domain names)
> >
> > > err: Could not retrieve catalog from remote server: Error 403 on
> > > SERVER: Forbidden request: puppethost (10.88.5.254) access to
> /catalog/
> > > puppethost [find] at line 93
> > > info: Not using expired catalog for puppethost from cache;
expired at
> > > Fri Jun 01 17:33:24 +0000 2012
> > > notice: Using cached catalog
> > > err: Could not retrieve catalog; skipping run
> > > err: Could not send report: Error 403 on SERVER: Forbidden
request:
> > > puppethost(10.88.5.254) access to /report/puppethost [save] at
line 93
> >
> > > on nginx side it looks this way
> > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET
/production/catalog/
> > > puppethost?facts=...&facts_format=b64_zlib_yaml
HTTP/1.1" 403 108 "-"
> > > "-"
> > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT
/production/report/
> > > puppethost HTTP/1.1" 403 107 "-" "-"
> >
> > > my nginx configs
> > > # cat /etc/nginx/conf.d/passenger.conf
> > > passenger_root /usr/lib/ruby/1.8/phusion_passenger;
> >
> > > # cat /etc/nginx/conf.d/puppet.conf
> > > server {
> > > listen 8140 ssl;
> > > server_name puppetmaster.domain;
> > > default_type application/x-raw;
> > > ssl on;
> >
> > > root /etc/puppet/rack/public;
> > > passenger_enabled on;
> > > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
> > > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY
$ssl_client_verify;
> >
> > > access_log /var/log/nginx/puppet_access.log;
> > > error_log /var/log/nginx/puppet_error.log;
> >
> > > ssl_certificate /var/lib/puppet/ssl/certs/
> > > puppetmaster.domain.pem;
> > > ssl_certificate_key /var/lib/puppet/ssl/private_keys/
> > > puppetmaster.domain.pem;
> > > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
> > > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
> > > ssl_protocols SSLv3 TLSv1;
> > > ssl_ciphers HIGH:+MEDIUM;
> > > ssl_prefer_server_ciphers on;
> > > ssl_verify_client optional;
> > > ssl_verify_depth 1;
> > > ssl_session_cache shared:SSL:128m;
> > > ssl_session_timeout 5m;
> >
> > > proxy_redirect off;
> > > proxy_set_header Host $host;
> > > proxy_set_header X-Real-IP $remote_addr;
> > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > > proxy_set_header X-Client-Verify $ssl_client_verify;
> > > proxy_set_header X-Client-DN $ssl_client_s_dn;
> > > proxy_set_header X-SSL-Subject $ssl_client_s_dn;
> > > proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
> > > }
> >
> > > but it works fine with default puppetmaster startup script, i.e.
on
> > > webrick
> > > also i have succesfully configured standalone puppetmaster and
apache
> > > + passenger, but in this case i''m at a loss.
> > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote:
> >
> > > Hello!
> >
> > > Are there any success stories with nginx, passenger and
puppetmaster?
> >
> > > I''m trying to setup mentioned scheme and have problems -
client cannot
> > > get its own catalog (removed only hostnames and domain names)
> >
> > > err: Could not retrieve catalog from remote server: Error 403 on
> > > SERVER: Forbidden request: puppethost (10.88.5.254) access to
> /catalog/
> > > puppethost [find] at line 93
> > > info: Not using expired catalog for puppethost from cache;
expired at
> > > Fri Jun 01 17:33:24 +0000 2012
> > > notice: Using cached catalog
> > > err: Could not retrieve catalog; skipping run
> > > err: Could not send report: Error 403 on SERVER: Forbidden
request:
> > > puppethost(10.88.5.254) access to /report/puppethost [save] at
line 93
> >
> > > on nginx side it looks this way
> > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET
/production/catalog/
> > > puppethost?facts=...&facts_format=b64_zlib_yaml
HTTP/1.1" 403 108 "-"
> > > "-"
> > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT
/production/report/
> > > puppethost HTTP/1.1" 403 107 "-" "-"
> >
> > > my nginx configs
> > > # cat /etc/nginx/conf.d/passenger.conf
> > > passenger_root /usr/lib/ruby/1.8/phusion_passenger;
> >
> > > # cat /etc/nginx/conf.d/puppet.conf
> > > server {
> > > listen 8140 ssl;
> > > server_name puppetmaster.domain;
> > > default_type application/x-raw;
> > > ssl on;
> >
> > > root /etc/puppet/rack/public;
> > > passenger_enabled on;
> > > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
> > > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY
$ssl_client_verify;
> >
> > > access_log /var/log/nginx/puppet_access.log;
> > > error_log /var/log/nginx/puppet_error.log;
> >
> > > ssl_certificate /var/lib/puppet/ssl/certs/
> > > puppetmaster.domain.pem;
> > > ssl_certificate_key /var/lib/puppet/ssl/private_keys/
> > > puppetmaster.domain.pem;
> > > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
> > > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
> > > ssl_protocols SSLv3 TLSv1;
> > > ssl_ciphers HIGH:+MEDIUM;
> > > ssl_prefer_server_ciphers on;
> > > ssl_verify_client optional;
> > > ssl_verify_depth 1;
> > > ssl_session_cache shared:SSL:128m;
> > > ssl_session_timeout 5m;
> >
> > > proxy_redirect off;
> > > proxy_set_header Host $host;
> > > proxy_set_header X-Real-IP $remote_addr;
> > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > > proxy_set_header X-Client-Verify $ssl_client_verify;
> > > proxy_set_header X-Client-DN $ssl_client_s_dn;
> > > proxy_set_header X-SSL-Subject $ssl_client_s_dn;
> > > proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
> > > }
> >
> > > but it works fine with default puppetmaster startup script, i.e.
on
> > > webrick
> > > also i have succesfully configured standalone puppetmaster and
apache
> > > + passenger, but in this case i''m at a loss.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/F8n2QrFzFRsJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
unfortunately this haven''t helped me with auth.conf even with your config it returns 403 error i will dig into it a bit more and provide my results here in case of success On Jun 5, 4:35 pm, Rémi <ere...@gmail.com> wrote:> Ok. No problem for me with Nginx. > So this is configuration, if you want to compare with yours : > > *nginx.conf :* > worker_processes 4; > > events { > worker_connections 1024; > > } > > http { > passenger_root /usr/lib/ruby/gems/1.8/gems/passenger-3.0.11; > passenger_ruby /usr/bin/ruby; > passenger_use_global_queue on; > passenger_max_pool_size 15; > passenger_pool_idle_time 300; > > include mime.types; > default_type application/octet-stream; > > sendfile on; > tcp_nopush on; > > # KeepAlive > keepalive_timeout 65; > tcp_nodelay on; > > server { > listen 8140 ssl; > server_name puppetmaster.x.x; > > passenger_enabled on; > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > access_log /var/log/nginx/puppetmaster.access.log; > error_log /var/log/nginx/puppetmaster.error.log; > > root /var/www/puppetmaster/public; > ssl_certificate /var/lib/puppet/ssl/certs/puppet.x.x.pem; > ssl_certificate_key /var/lib/puppet/ssl/private_keys/puppet.x.x.pem; > ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > ssl_ciphers SSLv2:-LOW:-EXPORT:RC4+RSA; > ssl_prefer_server_ciphers on; > ssl_verify_client optional; > ssl_verify_depth 1; > ssl_session_cache shared:SSL:128m; > ssl_session_timeout 5m; > } > > } > > */etc/puppet/auth.conf :* > # Allow authenticated nodes to retrieve their own catalogs: > > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > # Allow authenticated nodes to access any file services --- in practice, > this results in fileserver.conf being consulted: > > path /file > allow * > > # Allow authenticated nodes to access the certificate revocation list: > > path /certificate_revocation_list/ca > method find > allow * > > # Allow authenticated nodes to send reports: > > path /report > method save > allow * > > # Allow unauthenticated access to certificates: > > path /certificate/ca > auth no > method find > allow * > > path /certificate/ > auth no > method find > allow * > > # Allow unauthenticated nodes to submit certificate signing requests: > > path /certificate_request > auth no > method find, save > allow * > > # Exec Puppet > > path /run > method save > allow puppet.x.x > > # Facts > > path /facts > auth any > method find, search, save > allow dashboard.x.x > > path /facts_search > auth any > method find, search, save > allow dashbord.x.x > > # Deny all other requests: > > path / > auth any > > I hope this helps. > > > > > > > > On Tuesday, June 5, 2012 1:47:14 PM UTC+2, vulzscht wrote: > > > Thanks, Rémi > > > But this is already this way > > # ls -l /etc/puppet/rack/config.ru > > -rw-r--r-- 1 puppet puppet 432 2012-06-01 13:25 /etc/puppet/rack/ > > config.ru > > > for me it solved with adding > > auth no > > allow * > > to every record in /etc/puppet/auth.conf > > > but i''m sure this is not good idea. I still can''t understand why it > > (permissions from auth.conf) works with apache, but not nginx. > > i would rather suppose that real ip address not available in ruby > > application (it sees it as ip of puppetmaster), but have no idea how > > to check it... > > any suggestion will be appreciated > > > On Jun 4, 6:05 pm, Rémi <ere...@gmail.com> wrote: > > > Hi, > > > > Check file permission of /etc/puppet/rack/public/config.ru and restart > > > Nginx. The user/group must be "puppet". > > > Take a look athttp:// > > binbash.fr/2012/01/16/installer-un-serveur-puppet-scalable-par... > > > (in french). > > > > Regards > > > > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote: > > > > > Hello! > > > > > Are there any success stories with nginx, passenger and puppetmaster? > > > > > I''m trying to setup mentioned scheme and have problems - client cannot > > > > get its own catalog (removed only hostnames and domain names) > > > > > err: Could not retrieve catalog from remote server: Error 403 on > > > > SERVER: Forbidden request: puppethost (10.88.5.254) access to > > /catalog/ > > > > puppethost [find] at line 93 > > > > info: Not using expired catalog for puppethost from cache; expired at > > > > Fri Jun 01 17:33:24 +0000 2012 > > > > notice: Using cached catalog > > > > err: Could not retrieve catalog; skipping run > > > > err: Could not send report: Error 403 on SERVER: Forbidden request: > > > > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93 > > > > > on nginx side it looks this way > > > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/ > > > > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-" > > > > "-" > > > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/ > > > > puppethost HTTP/1.1" 403 107 "-" "-" > > > > > my nginx configs > > > > # cat /etc/nginx/conf.d/passenger.conf > > > > passenger_root /usr/lib/ruby/1.8/phusion_passenger; > > > > > # cat /etc/nginx/conf.d/puppet.conf > > > > server { > > > > listen 8140 ssl; > > > > server_name puppetmaster.domain; > > > > default_type application/x-raw; > > > > ssl on; > > > > > root /etc/puppet/rack/public; > > > > passenger_enabled on; > > > > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > > > > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > > > > access_log /var/log/nginx/puppet_access.log; > > > > error_log /var/log/nginx/puppet_error.log; > > > > > ssl_certificate /var/lib/puppet/ssl/certs/ > > > > puppetmaster.domain.pem; > > > > ssl_certificate_key /var/lib/puppet/ssl/private_keys/ > > > > puppetmaster.domain.pem; > > > > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > > > > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > > > > ssl_protocols SSLv3 TLSv1; > > > > ssl_ciphers HIGH:+MEDIUM; > > > > ssl_prefer_server_ciphers on; > > > > ssl_verify_client optional; > > > > ssl_verify_depth 1; > > > > ssl_session_cache shared:SSL:128m; > > > > ssl_session_timeout 5m; > > > > > proxy_redirect off; > > > > proxy_set_header Host $host; > > > > proxy_set_header X-Real-IP $remote_addr; > > > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > > > > proxy_set_header X-Client-Verify $ssl_client_verify; > > > > proxy_set_header X-Client-DN $ssl_client_s_dn; > > > > proxy_set_header X-SSL-Subject $ssl_client_s_dn; > > > > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; > > > > } > > > > > but it works fine with default puppetmaster startup script, i.e. on > > > > webrick > > > > also i have succesfully configured standalone puppetmaster and apache > > > > + passenger, but in this case i''m at a loss. > > > On Monday, June 4, 2012 11:00:34 AM UTC+2, vulzscht wrote: > > > > > Hello! > > > > > Are there any success stories with nginx, passenger and puppetmaster? > > > > > I''m trying to setup mentioned scheme and have problems - client cannot > > > > get its own catalog (removed only hostnames and domain names) > > > > > err: Could not retrieve catalog from remote server: Error 403 on > > > > SERVER: Forbidden request: puppethost (10.88.5.254) access to > > /catalog/ > > > > puppethost [find] at line 93 > > > > info: Not using expired catalog for puppethost from cache; expired at > > > > Fri Jun 01 17:33:24 +0000 2012 > > > > notice: Using cached catalog > > > > err: Could not retrieve catalog; skipping run > > > > err: Could not send report: Error 403 on SERVER: Forbidden request: > > > > puppethost(10.88.5.254) access to /report/puppethost [save] at line 93 > > > > > on nginx side it looks this way > > > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "GET /production/catalog/ > > > > puppethost?facts=...&facts_format=b64_zlib_yaml HTTP/1.1" 403 108 "-" > > > > "-" > > > > 10.88.5.254 - - [04/Jun/2012:08:44:58 +0000] "PUT /production/report/ > > > > puppethost HTTP/1.1" 403 107 "-" "-" > > > > > my nginx configs > > > > # cat /etc/nginx/conf.d/passenger.conf > > > > passenger_root /usr/lib/ruby/1.8/phusion_passenger; > > > > > # cat /etc/nginx/conf.d/puppet.conf > > > > server { > > > > listen 8140 ssl; > > > > server_name puppetmaster.domain; > > > > default_type application/x-raw; > > > > ssl on; > > > > > root /etc/puppet/rack/public; > > > > passenger_enabled on; > > > > passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; > > > > passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; > > > > > access_log /var/log/nginx/puppet_access.log; > > > > error_log /var/log/nginx/puppet_error.log; > > > > > ssl_certificate /var/lib/puppet/ssl/certs/ > > > > puppetmaster.domain.pem; > > > > ssl_certificate_key /var/lib/puppet/ssl/private_keys/ > > > > puppetmaster.domain.pem; > > > > #ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > > > > ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem; > > > > ssl_protocols SSLv3 TLSv1; > > > > ssl_ciphers HIGH:+MEDIUM; > > > > ssl_prefer_server_ciphers on; > > > > ssl_verify_client optional; > > > > ssl_verify_depth 1; > > > > ssl_session_cache shared:SSL:128m; > > > > ssl_session_timeout 5m; > > > > > proxy_redirect off; > > > > proxy_set_header Host $host; > > > > proxy_set_header X-Real-IP $remote_addr; > > > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;... > > read more »-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hello, Op donderdag 7 juni 2012 08:44:54 UTC+2 schreef vulzscht het volgende:> > i will dig into it a bit more and provide my results here in case of > success > >Did you found any solution? I am looking at the same problems, after a fresh puppetmaster install with passenger, getting: err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: FQDN(IP.Addr) access to /catalog/fqdn [find] at line 93 ./ssl/certs/ca.pem is available... Regards, Geert -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/dLYkHC9sYxAJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Monday, 22 October 2012 11:03:06 UTC+1, Geert Booster wrote:> > Hello, > > Op donderdag 7 juni 2012 08:44:54 UTC+2 schreef vulzscht het volgende: >> >> i will dig into it a bit more and provide my results here in case of >> success >> >> > Did you found any solution? I am looking at the same problems, after a > fresh puppetmaster install with passenger, getting: > > err: Could not retrieve catalog from remote server: Error 403 on SERVER: > Forbidden request: FQDN(IP.Addr) access to /catalog/fqdn [find] at line 93 > > ./ssl/certs/ca.pem is available... > > Regards, > > Geert > >Hi Geert, I''m not sure if you are still having this problem but I was suffering from it myself. I finally found that the problem was due to the following two lines in my puppet.conf. ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY Once removed puppet works fine under nginx. I had noticed that they were absent in this set of instructions that I was following http://z0mbix.github.com/blog/2012/03/01/use-nginx-and-passenger-to-power-your-puppet-master/ but assumed that they needed to be there was the comment says to uncomment when using passenger. Hope this helps. Regards, Greg -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/aKHa4HPZArkJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.