Morning all Am in the process of testing a migration of Puppet 3 from webrick to Puppet. Have found the foreman modules (https://github.com/theforeman) which seems to take care of a lot of the leg-work... However having got Puppet running with Passenger in Apache, whenever trying to access the Puppet master from a client, I was getting a ''403 Forbidden error''. Have dug around a bit, I found the auth.conf file. Made a slight tweak as follows: -bash-4.1$ git diff templates/auth.conf.erb diff --git a/templates/auth.conf.erb b/templates/auth.conf.erb index 04ef5c6..f064584 100644 --- a/templates/auth.conf.erb +++ b/templates/auth.conf.erb @@ -104,3 +104,4 @@ allow <%= puppetmaster rescue fqdn %> # of showing the default policy, which is deny everything else path / auth any +allow * Restarted Apache, and Puppet agent sprang into Life... So looking at the file, it''s the default Puppet auth.conf file, so the question becomes - Should the above additional line be required? Or is it masking something else? Cheers Gavin -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Dominic Cleal
2013-Mar-12 09:26 UTC
Re: [Puppet Users] Puppet with Passenger - 403 Forbidden
On 12/03/13 09:09, Gavin Williams wrote:> Morning all > > Am in the process of testing a migration of Puppet 3 from webrick to > Puppet. > > Have found the foreman modules (https://github.com/theforeman) which > seems to take care of a lot of the leg-work... > However having got Puppet running with Passenger in Apache, whenever > trying to access the Puppet master from a client, I was getting a ''403 > Forbidden error''. > > Have dug around a bit, I found the auth.conf file. Made a slight tweak > as follows: > -bash-4.1$ git diff templates/auth.conf.erb > diff --git a/templates/auth.conf.erb b/templates/auth.conf.erb > index 04ef5c6..f064584 100644 > --- a/templates/auth.conf.erb > +++ b/templates/auth.conf.erb > @@ -104,3 +104,4 @@ allow <%= puppetmaster rescue fqdn %> > # of showing the default policy, which is deny everything else > path / > auth any > +allow * > > Restarted Apache, and Puppet agent sprang into Life... > > So looking at the file, it''s the default Puppet auth.conf file, so the > question becomes - Should the above additional line be required? Or is > it masking something else?It shouldn''t be required - I think your suspicion that it''s masking something is correct. The last line in the default auth.conf is a deny all, so you''re changing this to an allow all, giving access to any catalog or file to any client. Do you have any indication on the client as to what request failed? i.e. was it the catalog request, or pluginsync etc. You can try correlating the error to Apache''s access log to verify the URL it''s trying to access on the puppetmaster. If you''re using the Foreman modules, you shouldn''t have this issue, but you should have some RequestHeader lines in the puppetmaster vhost that set client certificate details and SSLCACertificateFile + SSLVerifyClient to enable verification. It could be that the client cert isn''t getting verified by mod_ssl and so the puppetmaster can''t use the client''s identity to permit access to URLs. -- Dominic Cleal Red Hat Engineering -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Gavin Williams
2013-Mar-12 12:22 UTC
Re: [Puppet Users] Puppet with Passenger - 403 Forbidden
Hmmm, v.strange... I''ve just reverted the auth.conf change, and it appears to be working as expected... :s So sounds like there was another issue at play... Will see if I can replicate it... Cheers Gavin On Tuesday, 12 March 2013 09:26:15 UTC, Dominic Cleal wrote:> > On 12/03/13 09:09, Gavin Williams wrote: > > Morning all > > > > Am in the process of testing a migration of Puppet 3 from webrick to > > Puppet. > > > > Have found the foreman modules (https://github.com/theforeman) which > > seems to take care of a lot of the leg-work... > > However having got Puppet running with Passenger in Apache, whenever > > trying to access the Puppet master from a client, I was getting a ''403 > > Forbidden error''. > > > > Have dug around a bit, I found the auth.conf file. Made a slight tweak > > as follows: > > -bash-4.1$ git diff templates/auth.conf.erb > > diff --git a/templates/auth.conf.erb b/templates/auth.conf.erb > > index 04ef5c6..f064584 100644 > > --- a/templates/auth.conf.erb > > +++ b/templates/auth.conf.erb > > @@ -104,3 +104,4 @@ allow <%= puppetmaster rescue fqdn %> > > # of showing the default policy, which is deny everything else > > path / > > auth any > > +allow * > > > > Restarted Apache, and Puppet agent sprang into Life... > > > > So looking at the file, it''s the default Puppet auth.conf file, so the > > question becomes - Should the above additional line be required? Or is > > it masking something else? > > It shouldn''t be required - I think your suspicion that it''s masking > something is correct. The last line in the default auth.conf is a deny > all, so you''re changing this to an allow all, giving access to any > catalog or file to any client. > > Do you have any indication on the client as to what request failed? > i.e. was it the catalog request, or pluginsync etc. You can try > correlating the error to Apache''s access log to verify the URL it''s > trying to access on the puppetmaster. > > If you''re using the Foreman modules, you shouldn''t have this issue, but > you should have some RequestHeader lines in the puppetmaster vhost that > set client certificate details and SSLCACertificateFile + > SSLVerifyClient to enable verification. It could be that the client > cert isn''t getting verified by mod_ssl and so the puppetmaster can''t use > the client''s identity to permit access to URLs. > > -- > Dominic Cleal > Red Hat Engineering >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.