kai
2012-Jun-14 17:19 UTC
[Puppet Users] Forbidden request: puppetagent1.example.com(192.168.1.101) access to /certificate_revocation_list/ca [find] at line 99
Puppet version: 2.7.14 Puppet master behind apache with mod_proxy load balancer. I am able to authenticate with the cert as per these headers: Accept: s X-SSL-Subject: /CN=puppetagent1.example.com X-Client-DN: /CN=puppetagent1.example.com X-Client-Verify: SUCCESS Any idea what this error means ? I share my ssl dir on the load balancer and the puppet master. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/u_6qf0Q0LCkJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jeff McCune
2012-Jun-14 18:44 UTC
Re: [Puppet Users] Forbidden request: puppetagent1.example.com(192.168.1.101) access to /certificate_revocation_list/ca [find] at line 99
On Thu, Jun 14, 2012 at 10:19 AM, kai <kaivanov@gmail.com> wrote:> Puppet version: 2.7.14 > > Puppet master behind apache with mod_proxy load balancer. > I am able to authenticate with the cert as per these headers: > > Accept: s > X-SSL-Subject: /CN=puppetagent1.example.com > X-Client-DN: /CN=puppetagent1.example.com > X-Client-Verify: SUCCESS > > Any idea what this error means ?It means the request isn''t authorized. I think your problem is that the headers aren''t matched up with the environment variables you''re setting. In http://goo.gl/R4IoB you have this on the back end: SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1 But this doesn''t match the header you''re setting on the front end: RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e Making this match up should get you closer to your goal. -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
kai
2012-Jun-15 13:29 UTC
[Puppet Users] Re: Forbidden request: puppetagent1.example.com(192.168.1.101) access to /certificate_revocation_list/ca [find] at line 99
Thank you Jeff, this is exactly what the problem was. I replaced ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY with ssl_client_verify_header = HTTP_X_CLIENT_VERIFY ssl_client_header = HTTP_X_CLIENT_DN and it worked. I was following the examples from the Pro Puppet book, but on different servers. Now it all works! On Thursday, June 14, 2012 12:19:20 PM UTC-5, kai wrote:> > Puppet version: 2.7.14 > > Puppet master behind apache with mod_proxy load balancer. > I am able to authenticate with the cert as per these headers: > > Accept: s > X-SSL-Subject: /CN=puppetagent1.example.com > X-Client-DN: /CN=puppetagent1.example.com > X-Client-Verify: SUCCESS > > Any idea what this error means ? > I share my ssl dir on the load balancer and the puppet master. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/FdAQcUzC6KQJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Reasonably Related Threads
- Puppetmaster setup with separate CA server configuration help
- Questions for puppet 2.6.8 client certificate management
- Problem with Load Balancing Puppet masters with Apache mod_proxy
- Debugging Puppetmaster with Apache/Rack/Passenger
- puppet master REST API returns 403 when running under passenger works when running from command line