Ok, seems that I have an authentication issue here.
when I set (for all paths) "auth no" in auth.conf, it's working again.
Maybe I set these options wrong in the apache.conf:
SSLCertificateFile /etc/puppet/ssl/certs/node002.pem
SSLCertificateKeyFile /etc/puppet/ssl/private_keys/node002.pem
As far as I can tell these files match.
regards, Andreas
Andreas Kuntzagk wrote:
Hi,
Nan Liu wrote:
On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
<andreas.kuntz...@mdc-berlin.de> wrote:
Hi,
as suggested on the list I switched from the standalone puppetmaster to
Passenger. I have passenger installed now and edited the apache
config as
far as I understood. I restarted apache.
Now when I run an agent I get:
/var/lib/gems/1.8/bin/puppet agent --server node002 --test
err: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: node039(192.168.73.39) access to /catalog/node039
[find]
at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
In the server log I find this:
May 4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden
request: node039(192.168.73.39) access to /catalog/node039 [find] at
line 0
May 4 14:13:08 node002 puppet-master[14489]: Forbidden request:
node039(192.168.73.39) access to /catalog/node039 [find] at line 0
Not sure I can pinpoint your problem, is this all the output with
debugging enabled in config.ru?
No. I just enabled debugging (did not see this option before). Now I get
many more lines.
I suspect these to be the important ones:
May 5 08:59:36 node002 puppet-master[16796]: (access[/]) adding
authentication any
May 5 08:59:36 node002 puppet-master[16796]: Inserting default
'/status'(auth) acl because none where found in '/etc/puppet/auth.conf'
May 5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting to
no access for node002
[...]
It doesn't map to a filepath. Access is controlled via auth.conf. You
should have a section similar to:
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
Ok, auth.conf was missing. But I copied the gems default conf file and
it's still not working.
Since you should not need to change it, I'm wondering do you have the
following [master] section in puppet.conf?
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
No. There is no [master] section at all. And also in all example confs
there is no [master] section. Btw. this is version 2.6.4.
regards, Andreas
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
