Puppet users - Jun 2012 - Forbidden request: puppetagent1.example.com(192.168.1.101) access to /certificate_revocation_list/ca [find] at line 99

Puppet version: 2.7.14

Puppet master behind apache with mod_proxy load balancer. 
I am able to authenticate with the cert as per these headers:

Accept: s
X-SSL-Subject: /CN=puppetagent1.example.com
X-Client-DN: /CN=puppetagent1.example.com
X-Client-Verify: SUCCESS

Any idea what this error means ?
I share my ssl dir on the load balancer and the puppet master.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/u_6qf0Q0LCkJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Thu, Jun 14, 2012 at 10:19 AM, kai <kaivanov@gmail.com>
wrote:
> Puppet version: 2.7.14
>
> Puppet master behind apache with mod_proxy load balancer.
> I am able to authenticate with the cert as per these headers:
>
> Accept: s
> X-SSL-Subject: /CN=puppetagent1.example.com
> X-Client-DN: /CN=puppetagent1.example.com
> X-Client-Verify: SUCCESS
>
> Any idea what this error means ?
It means the request isn''t authorized.

I think your problem is that the headers aren''t matched up with the
environment variables you''re setting.

In http://goo.gl/R4IoB you have this on the back end:

SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1

But this doesn''t match the header you''re setting on the front
end:

RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e

Making this match up should get you closer to your goal.

-Jeff

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thank you Jeff, this is exactly what the problem was. I replaced

ssl_client_header = SSL_CLIENT_S_DN 
ssl_client_verify_header = SSL_CLIENT_VERIFY

with

ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
ssl_client_header = HTTP_X_CLIENT_DN

and it worked. I was following the examples from the Pro Puppet book, but 
on different servers. Now it all works!

On Thursday, June 14, 2012 12:19:20 PM UTC-5, kai wrote:
>
> Puppet version: 2.7.14
>
> Puppet master behind apache with mod_proxy load balancer. 
> I am able to authenticate with the cert as per these headers:
>
> Accept: s
> X-SSL-Subject: /CN=puppetagent1.example.com
> X-Client-DN: /CN=puppetagent1.example.com
> X-Client-Verify: SUCCESS
>
> Any idea what this error means ?
> I share my ssl dir on the load balancer and the puppet master.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/FdAQcUzC6KQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.