I''m having trouble getting puppetmaster to use passenger, it appears to
be
releated SSL selfsigned certificates but I could be barking up the wrong
tree...
Puppet Master is hosted on a CentOS 6.0 32bit machine
# yum list installed | grep puppet
facter.i386 1:1.6.11-1.el6
@puppetlabs-products
mcollective.noarch 2.0.0-1.el6
@puppetlabs-products
mcollective-common.noarch 2.0.0-1.el6
@puppetlabs-products
puppet.noarch 2.7.19-1.el6
@puppetlabs-products
puppet-server.noarch 2.7.19-1.el6
@puppetlabs-products
puppetlabs-release.noarch 6-5
@/puppetlabs-release-6-5.noarch
# gem query --local
*** LOCAL GEMS ***
abstract (1.0.0)
actionmailer (3.0.15)
actionpack (3.0.15)
activemodel (3.0.15, 3.0.10)
activerecord (3.0.15, 3.0.10)
activeresource (3.0.15)
activesupport (3.0.15, 3.0.10)
acts_as_audited (2.0.0)
ancestry (1.2.5)
arel (2.0.10)
audited (3.0.0.rc1)
audited-activerecord (3.0.0.rc1)
builder (2.1.2)
bundler (1.0.15)
daemon_controller (1.0.0)
erubis (2.6.6)
fastthread (1.0.7)
has_many_polymorphs (3.0.0.beta1)
i18n (0.5.0)
jquery-rails (1.0.19)
json (1.6.6)
mail (2.3.3)
mime-types (1.18)
mysql (2.8.1)
net-ldap (0.3.1)
passenger (3.0.17)
polyglot (0.3.3)
rack (1.2.5)
rack-mount (0.6.14)
rack-test (0.5.7)
rails (3.0.15)
railties (3.0.15)
rake (0.9.2.2)
rdoc (3.12)
rest-client (1.6.7)
ruby2ruby (1.3.1)
ruby_parser (2.3.1)
safemode (1.0.1)
scoped_search (2.3.7)
sexp_processor (3.1.0)
stomp (1.1.8)
thor (0.14.6)
treetop (1.4.10)
tzinfo (0.3.33, 0.3.32)
uuidtools (2.1.1)
will_paginate (3.0.3)
/etc/httpd/conf.d/puppetmaster.conf
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
<VirtualHost *:8140>
SSLEngine on
# SSLProtocol -ALL +SSLv3 +TLSv1
# SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/puppet.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/puppet.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
# If Apache complains about invalid signatures on the CRL, you can try
disabling
# CRL checking by commenting the next line, but this is not recommended.
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
# This header needs to be set if using a loadbalancer or proxy
# RequestHeader unset X-Forwarded-For
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /etc/puppet/rack/public/
RackBaseURI /
<Directory /etc/puppet/rack/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
/var/log/http/error_log:
[Fri Aug 31 08:54:40 2012] [notice] caught SIGTERM, shutting down
[Fri Aug 31 08:54:40 2012] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Fri Aug 31 08:54:40 2012] [warn] Init: Session Cache is not configured
[hint: SSLSessionCache]
[Fri Aug 31 08:54:40 2012] [notice] Digest: generating secret for digest
authentication ...
[Fri Aug 31 08:54:40 2012] [notice] Digest: done
[Fri Aug 31 08:54:40 2012] [notice] Apache/2.2.15 (Unix) DAV/2
mod_ssl/2.2.15 OpenSSL/1.0.0-fips Phusion_Passenger/3.0.17 configured --
resuming normal operations
/var/log/messages:
Aug 31 03:59:36 ip-10-226-242-145 puppet-agent[894]:
(/File[/var/lib/puppet/lib]) Failed to generate additional resources using
''eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed: [self signed certificate in
certificate chain for /CN=Puppet CA: puppet]
Aug 31 03:59:36 ip-10-226-242-145 puppet-agent[894]:
(/File[/var/lib/puppet/lib]) Could not evaluate: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed:
[self signed certificate in certificate chain for /CN=Puppet CA: puppet]
Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [self signed certificate in certificate chain for /CN=Puppet
CA: puppet]
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Could not retrieve
catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed: [self signed certificate
in certificate chain for /CN=Puppet CA: puppet]
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Using cached catalog
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Could not retrieve
catalog; skipping run
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Could not send report:
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B:
certificate verify failed: [self signed certificate in certificate chain
for /CN=Puppet CA: puppet]
On a client node:
# puppet agent --test --verbose
warning: peer certificate won''t be verified in this SSL session
err: Could not request certificate: Error 406 on SERVER:
Exiting; failed to retrieve certificate and waitforcert is disabled
Nothing in the apache ssl_error log files
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/48jy5V3HZyMJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.