Issue #2828 has been updated by Pete Emerson.
I'm not clear how to migrate existing keys from one puppetmaster to another. It seems like the keys are signed by the old puppetmaster with the hostname embedded in them. Do you have a pointer doc somewhere to walk me through this? ---------------------------------------- Bug #2828: Passenger problem connecting new puppet client to new puppetmaster http://projects.reductivelabs.com/issues/2828 Author: Pete Emerson Status: Ready for Testing Priority: Normal Assigned to: Christian Hofstaedtler Category: passenger Target version: 0.25.2 Affected version: 0.25.1 Keywords: Branch: I think this issue may be similar to Bug #2617 and #2619. However, #2619 is marked as a duplicate of #2617, but #2617 has been addressed in 0.25.1 (which is where I see the problem), and bug #2617 says that it does not affect a fresh puppetmaster install, whereas my bug does. When run on the puppetmaster node, puppet runs fine as a client of itself. When run on a new puppet client node using webrick for the puppetmaster, puppet runs fine. When I run on a new puppet client node using webrick for the puppetmaster, and then switch over to passenger, puppet runs fine. When run on a new puppetclient node using passenger, puppet does not run, and it produces the following error (complete logs below): <pre> err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: 01.test.dev.nym1(ip.address.is.here) access to /certificate_revocation_list/ca [find] at line 93 </pre> Versions: CentOS release 5.4 ruby 1.8.5 (2006-08-25) [x86_64-linux] puppet-server-0.25.1-0.2.rc2.el5 puppet-0.25.1-0.2.rc2.el5 fastthread (1.0.7) passenger (2.2.5) rack (1.0.1) rake (0.8.7) Puppet client logs: <pre> [[email protected] ~]$ ssh [email protected] '/usr/sbin/puppetd --server=01.puppetmaster.dev.nym1 --test --report --trace --verbose --debug --ignorecache' debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: Failed to load library 'ldap' for feature 'ldap' debug: /File[/var/lib/puppet/ssl/private_keys/01.client.dev.nym1.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/public_keys/01.client.dev.nym1.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/etc/puppet/namespaceauth.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/lib/puppet/state] debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certs/01.client.dev.nym1.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/log/puppet/http.log]: Autorequiring File[/var/log/puppet] debug: /File[/var/run/puppet/puppetd.pid]: Autorequiring File[/var/run/puppet] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: Finishing transaction 23456269667260 with 0 changes debug: Using cached certificate for ca debug: Using cached certificate for 01.client.dev.nym1 debug: Using cached certificate for ca debug: Using cached certificate for 01.client.dev.nym1 /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:55:in `deserialize' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:198:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:227:in `ssl_store' /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in `cert_setup' /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:100:in `http_instance' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in `network' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:198:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:94:in `retrieve_catalog' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:416:in `thinmark' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:93:in `retrieve_catalog' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:140:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/1.8/sync.rb:229:in `synchronize' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:130:in `with_client' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in `onetime' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in `exit_on_fail' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run' /usr/sbin/puppetd:159 err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: 01.client.dev.nym1(ip.address.is.here) access to /certificate_revocation_list/ca [find] at line 0 warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run </pre> Puppet server logs: <pre> Nov 17 21:15:59 (mount[files]) allowing * access Nov 17 21:15:59 Starting Puppet server version 0.25.1 Nov 17 21:15:59 Inserting default '~ ^/catalog/([^/]+)$'(auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/file'(non-auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/certificate_revocation_list/ca'(auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/report'(auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/certificate/ca'(non-auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/certificate/'(non-auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/certificate_request'(non-auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:16:00 01.client.dev.nym1 has a waiting certificate request Nov 17 21:16:04 (access[/]) defaulting to no access for 01.client.dev.nym1 Nov 17 21:16:04 Denying access: Forbidden request: 01.client.dev.nym1(ip.address.is.here) access to /certificate_revocation_list/ca [find] at line 0 Nov 17 21:16:04 Forbidden request: 01.client.dev.nym1(ip.address.is.here) access to /certificate_revocation_list/ca [find] at line 0 </pre> Here is my auth.conf (taken from git and only modified to address Bug #2620), and removing this file has made no difference: <pre> path ~ ^/catalog/([^/]+)$ method find allow * path /certificate_revocation_list/ca method find allow * path /report method save allow * path /file allow * path /certificate/ca auth no method find allow * path /certificate/ auth no method find allow * path /certificate_request auth no method find, save allow * path / auth any </pre> Here is my config.ru: <pre> $0 = "puppetmasterd" require 'puppet' ARGV << "--trace" ARGV << "--debug" ARGV << "--verbose" ARGV << "--rack" require 'puppet/application/puppetmasterd' run Puppet::Application[:puppetmasterd].run </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=.
