On May 5, 2:31 am, Andreas Kuntzagk <andreas.kuntz...@mdc-berlin.de>
wrote:
> Ok, seems that I have an authentication issue here.
> when I set (for all paths) "auth no" in auth.conf, it's working again.
> Maybe I set these options wrong in the apache.conf:
>
> SSLCertificateFile /etc/puppet/ssl/certs/node002.pem
> SSLCertificateKeyFile /etc/puppet/ssl/private_keys/node002.pem
>
> As far as I can tell these files match.
>
> regards, Andreas
>
> Andreas Kuntzagk wrote:
> > Hi,
>
> > Nan Liu wrote:
> >> On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk
> >> <andreas.kuntz...@mdc-berlin.de> wrote:
> >>> Hi,
>
> >>> as suggested on the list I switched from the standalone puppetmaster to
> >>> Passenger. I have passenger installed now and edited the apache
> >>> config as
> >>> far as I understood. I restarted apache.
> >>> Now when I run an agent I get:
>
> >>> /var/lib/gems/1.8/bin/puppet agent --server node002 --test
> >>> err: Could not retrieve catalog from remote server: Error 403 on SERVER:
> >>> Forbidden request: node039(192.168.73.39) access to /catalog/node039
> >>> [find]
> >>> at line 0
> >>> warning: Not using cache on failed catalog
> >>> err: Could not retrieve catalog; skipping run
>
> >>> In the server log I find this:
>
> >>> May 4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden
> >>> request: node039(192.168.73.39) access to /catalog/node039 [find] at
> >>> line 0
> >>> May 4 14:13:08 node002 puppet-master[14489]: Forbidden request:
> >>> node039(192.168.73.39) access to /catalog/node039 [find] at line 0
>
> >> Not sure I can pinpoint your problem, is this all the output with
> >> debugging enabled in config.ru?
>
> > No. I just enabled debugging (did not see this option before). Now I get
> > many more lines.
> > I suspect these to be the important ones:
>
> > May 5 08:59:36 node002 puppet-master[16796]: (access[/]) adding
> > authentication any
> > May 5 08:59:36 node002 puppet-master[16796]: Inserting default
> > '/status'(auth) acl because none where found in '/etc/puppet/auth.conf'
> > May 5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting to
> > no access for node002
>
> > [...]
>
> >> It doesn't map to a filepath. Access is controlled via auth.conf. You
> >> should have a section similar to:
>
> >> # allow nodes to retrieve their own catalog (ie their configuration)
> >> path ~ ^/catalog/([^/]+)$
> >> method find
> >> allow $1
>
> > Ok, auth.conf was missing. But I copied the gems default conf file and
> > it's still not working.
>
> >> Since you should not need to change it, I'm wondering do you have the
> >> following [master] section in puppet.conf?
> >> ssl_client_header = SSL_CLIENT_S_DN
> >> ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> > No. There is no [master] section at all. And also in all example confs
> > there is no [master] section. Btw. this is version 2.6.4.
>
> > regards, Andreas
So in the puppet.conf I have, those ssl_client_* settings are actually
in the [user] section. I'm not 100% sure if that's correct but I'm
running 2.6.8 on mine and that appears to be one of the magic bits
needed.
Also in your apache config, add
# The following client headers allow the same configuration to work
with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
That seems to be the other bit that actually passes the authentication
down the chain to puppet.
-Paul
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
