Jon Jaroker
2012-Jul-12 14:34 UTC
[Puppet Users] nginx-passenger authentication / certificate issue
Hello, I have been stumped by an authentication / certificate problem and would like to know if anyone has resolved a similar issue. My fresh install of Puppet Master 2.7.18 on Debian 6 works normally when run standalone, using ''puppet master --verbose --no-daemonize''. When using nginx-passenger in front of the same puppet master, puppet fails with the authentication error: ''… Forbidden request … access to /file_metadata/plugins [find] at line 57'' This failure occurs on the same node that had successfully connected to Puppet Master when it was run standalone. The full log errors are here: http://pastebin.com/KH8Pyyw3 I can work-around this authentication error by appending ''allow *'' for ''path /'' in the puppet master''s auth.conf file. Here is the Puppet Master auth.conf file I am using: http://pastebin.com/Ju0ke3rP I don''t think this workaround is correct: the default authentication policy should not allow access to un-authenticated nodes. Here is my nginx.conf file: http://pastebin.com/q7HMuAZ0 Here is the config.ru configuration file: http://pastebin.com/1aCdsTJE Does anyone see what I am doing wrong? I have already tried deleting and recreating certificates for the agent and master. Thank you, Jon -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jeff McCune
2012-Jul-12 14:44 UTC
Re: [Puppet Users] nginx-passenger authentication / certificate issue
Are you sure you want to be using the passenger_set_cgi_param nginx directive and not proxy_set_header? The problem definitely seems to be Puppet not picking up the values that should be set in the HTTP_X_CLIENT_VERIFY and HTTP_X_CLIENT_DN request headers. -Jeff On Thu, Jul 12, 2012 at 7:34 AM, Jon Jaroker <google@jaroker.com> wrote:> > Hello, I have been stumped by an authentication / certificate problem > and would like to know if anyone has resolved a similar issue. > > My fresh install of Puppet Master 2.7.18 on Debian 6 works normally > when run standalone, using ''puppet master --verbose --no-daemonize''. > > When using nginx-passenger in front of the same puppet master, puppet > fails with the authentication error: ''… Forbidden request … access > to /file_metadata/plugins [find] at line 57'' > > This failure occurs on the same node that had successfully connected > to Puppet Master when it was run standalone. > > The full log errors are here: http://pastebin.com/KH8Pyyw3 > > I can work-around this authentication error by appending ''allow *'' for > ''path /'' in the puppet master''s auth.conf file. > > Here is the Puppet Master auth.conf file I am using: http://pastebin.com/Ju0ke3rP > > I don''t think this workaround is correct: the default authentication > policy should not allow access to un-authenticated nodes. > > Here is my nginx.conf file: http://pastebin.com/q7HMuAZ0 > > Here is the config.ru configuration file: http://pastebin.com/1aCdsTJE > > Does anyone see what I am doing wrong? I have already tried deleting > and recreating certificates for the agent and master. > > Thank you, > Jon > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
David Wooldridge
2012-Jul-12 14:57 UTC
[Puppet Users] Re: nginx-passenger authentication / certificate issue
I know when I was setting this up (http://z0mbix.github.com/blog/2012/03/01/use-nginx-and-passenger-to-power-your-puppet-master/), the main gotcha I came up against was the permissions of the config.ru file have to be the same as your puppet user. I can''t remember what error this caused though. Cheers David On Thursday, 12 July 2012 15:34:06 UTC+1, Jon Jaroker wrote:> > Hello, I have been stumped by an authentication / certificate problem > and would like to know if anyone has resolved a similar issue. > > My fresh install of Puppet Master 2.7.18 on Debian 6 works normally > when run standalone, using ''puppet master --verbose --no-daemonize''. > > When using nginx-passenger in front of the same puppet master, puppet > fails with the authentication error: ''… Forbidden request … access > to /file_metadata/plugins [find] at line 57'' > > This failure occurs on the same node that had successfully connected > to Puppet Master when it was run standalone. > > The full log errors are here: http://pastebin.com/KH8Pyyw3 > > I can work-around this authentication error by appending ''allow *'' for > ''path /'' in the puppet master''s auth.conf file. > > Here is the Puppet Master auth.conf file I am using: > http://pastebin.com/Ju0ke3rP > > I don''t think this workaround is correct: the default authentication > policy should not allow access to un-authenticated nodes. > > Here is my nginx.conf file: http://pastebin.com/q7HMuAZ0 > > Here is the config.ru configuration file: http://pastebin.com/1aCdsTJE > > Does anyone see what I am doing wrong? I have already tried deleting > and recreating certificates for the agent and master. > > Thank you, > Jon >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/2MBuu8evOokJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jon Jaroker
2012-Jul-12 15:47 UTC
[Puppet Users] Re: nginx-passenger authentication / certificate issue
Hello Jeff, Thank you for your reply. It pointed me in the right direction. Regarding ''proxy_set_header'', I don''t believe this directive has an effect on passenger. For passenger, I believe the ''passenger_set_cgi_param'' directive must be used instead. My mistake was using the wrong parameter. While HTTP_X_CLIENT_* will work for ''proxy_set_header'', I think you need to use SSL_CLIENT_* parameters for ''passenger_set_cgi_param''. Here is the change in nginx.conf that solved the problem for me. # passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; # passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; passenger_set_cgi_param SSL_CLIENT_S_DN $ssl_client_s_dn; passenger_set_cgi_param SSL_CLIENT_VERIFY $ssl_client_verify; The puppet client is now able to connect normally. Regards, Jon On Jul 12, 10:44 am, Jeff McCune <j...@puppetlabs.com> wrote:> Are you sure you want to be using the passenger_set_cgi_param nginx > directive and not proxy_set_header? > > The problem definitely seems to be Puppet not picking up the values > that should be set in the HTTP_X_CLIENT_VERIFY and HTTP_X_CLIENT_DN > request headers. > > -Jeff > > > > > > > > On Thu, Jul 12, 2012 at 7:34 AM, Jon Jaroker <goo...@jaroker.com> wrote: > > > Hello, I have been stumped by an authentication / certificate problem > > and would like to know if anyone has resolved a similar issue. > > > My fresh install of Puppet Master 2.7.18 on Debian 6 works normally > > when run standalone, using ''puppet master --verbose --no-daemonize''. > > > When using nginx-passenger in front of the same puppet master, puppet > > fails with the authentication error: ''… Forbidden request … access > > to /file_metadata/plugins [find] at line 57'' > > > This failure occurs on the same node that had successfully connected > > to Puppet Master when it was run standalone. > > > The full log errors are here:http://pastebin.com/KH8Pyyw3 > > > I can work-around this authentication error by appending ''allow *'' for > > ''path /'' in the puppet master''s auth.conf file. > > > Here is the Puppet Master auth.conf file I am using:http://pastebin.com/Ju0ke3rP > > > I don''t think this workaround is correct: the default authentication > > policy should not allow access to un-authenticated nodes. > > > Here is my nginx.conf file:http://pastebin.com/q7HMuAZ0 > > > Here is the config.ru configuration file:http://pastebin.com/1aCdsTJE > > > Does anyone see what I am doing wrong? I have already tried deleting > > and recreating certificates for the agent and master. > > > Thank you, > > Jon > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.