Leonid Mirsky
2013-Nov-07 17:36 UTC
[Puppet Users] Issue with some puppet agents - "Denying access: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal"
Hi All. I am having a strange issues when amazon assigns an internal dns from the domU* (ipv6) type. Here is the errors I get on the puppet master:> Nov 7 13:51:38 ip-10-28-107-81 puppet-master[28632]: Signed certificate > request for 4019_domu-12-31-39-0e-89-82.compute-1.internal > Nov 7 13:51:38 ip-10-28-107-81 puppet-master[28632]: Removing file > Puppet::SSL::CertificateRequest > 4019_domu-12-31-39-0e-89-82.compute-1.internal at > ''/var/lib/puppet/ssl/ca/requests/4019_domu-12-31-39-0e-89-82.compute-1.internal.pem'' > Nov 7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Denying access: > Forbidden request: > domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to > /node/4019_domU-12-31-39-0E-89-82.compute-1.internal [find] at :115 > Nov 7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Forbidden request: > domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to > /node/4019_domU-12-31-39-0E-89-82.compute-1.internal [find] at :115 > Nov 7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Denying access: > Forbidden request: > domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to > /file_metadata/plugins [search] at :115 > Nov 7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Forbidden request: > domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to > /file_metadata/plugins [search] at :115 > Nov 7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Denying access: > Forbidden request: > domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to > /file_metadata/plugins [find] at :115 > Nov 7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Forbidden request: > domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to > /file_metadata/plugins [find] at :115 > Nov 7 13:51:40 ip-10-28-107-81 puppet-master[28632]: Denying access: > Forbidden request: > domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to > /catalog/4019_domU-12-31-39-0E-89-82.compute-1.internal [find] at :115 > Nov 7 13:51:40 ip-10-28-107-81 puppet-master[28632]: Forbidden request: > domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to > /catalog/4019_domU-12-31-39-0E-89-82.compute-1.internal [find] at :115 > Nov 7 13:51:40 ip-10-28-107-81 puppet-master[28632]: Denying access: > Forbidden request: > domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to > /report/4019_domU-12-31-39-0E-89-82.compute-1.internal [save] at :115 > Nov 7 13:51:40 ip-10-28-107-81 puppet-master[28632]: Forbidden request: > domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to > /report/4019_domU-12-31-39-0E-89-82.compute-1.internal [save] at :115The node is configured with: certname = 4019_domu-12-31-39-0e-89-82.compute-1.internal I am using: puppet master version 3.3.0 puppet agent version 3.3.1 The /etc/puppet/auth.conf is as follows (default):> path ~ ^/catalog/([^/]+)$ > method find > allow $1 > # allow nodes to retrieve their own node definition > path ~ ^/node/([^/]+)$ > method find > allow $1 > # allow all nodes to access the certificates services > path /certificate_revocation_list/ca > method find > allow * > # allow all nodes to store their own reports > path ~ ^/report/([^/]+)$ > method save > allow $1 > # Allow all nodes to access all file services; this is necessary for > # pluginsync, file serving from modules, and file serving from custom > # mount points (see fileserver.conf). Note that the `/file` prefix matches > # requests to both the file_metadata and file_content paths. See "Examples" > # above if you need more granular access control for custom mount points. > path /file > allow * > ### Unauthenticated ACLs, for clients without valid certificates; > authenticated > ### clients can also access these paths, though they rarely need to. > # allow access to the CA certificate; unauthenticated nodes need this > # in order to validate the puppet master''s certificate > path /certificate/ca > auth any > method find > allow * > # allow nodes to retrieve the certificate they requested earlier > path /certificate/ > auth any > method find > allow * > # allow nodes to request a new certificate > path /certificate_request > auth any > method find, save > allow * > # deny everything else; this ACL is not strictly necessary, but > # illustrates the default policy. > path / > auth anyCan anybody please help to debug this issue? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/23eaffb2-3609-4d03-af1f-88031605b894%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.