On May 5, 2:31 am, Andreas Kuntzagk <andreas.kuntz...@mdc-berlin.de> wrote: > Ok, seems that I have an authentication issue here. > when I set (for all paths) "auth no" in auth.conf, it's working again. > Maybe I set these options wrong in the apache.conf: > > SSLCertificateFile /etc/puppet/ssl/certs/node002.pem > SSLCertificateKeyFile /etc/puppet/ssl/private_keys/node002.pem > > As far as I can tell these files match. > > regards, Andreas > > > > > > > > Andreas Kuntzagk wrote: > > Hi, > > > Nan Liu wrote: > >> On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk > >> <andreas.kuntz...@mdc-berlin.de> wrote: > >>> Hi, > > >>> as suggested on the list I switched from the standalone puppetmaster to > >>> Passenger. I have passenger installed now and edited the apache > >>> config as > >>> far as I understood. I restarted apache. > >>> Now when I run an agent I get: > > >>> /var/lib/gems/1.8/bin/puppet agent --server node002 --test > >>> err: Could not retrieve catalog from remote server: Error 403 on SERVER: > >>> Forbidden request: node039(192.168.73.39) access to /catalog/node039 > >>> [find] > >>> at line 0 > >>> warning: Not using cache on failed catalog > >>> err: Could not retrieve catalog; skipping run > > >>> In the server log I find this: > > >>> May 4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden > >>> request: node039(192.168.73.39) access to /catalog/node039 [find] at > >>> line 0 > >>> May 4 14:13:08 node002 puppet-master[14489]: Forbidden request: > >>> node039(192.168.73.39) access to /catalog/node039 [find] at line 0 > > >> Not sure I can pinpoint your problem, is this all the output with > >> debugging enabled in config.ru? > > > No. I just enabled debugging (did not see this option before). Now I get > > many more lines. > > I suspect these to be the important ones: > > > May 5 08:59:36 node002 puppet-master[16796]: (access[/]) adding > > authentication any > > May 5 08:59:36 node002 puppet-master[16796]: Inserting default > > '/status'(auth) acl because none where found in '/etc/puppet/auth.conf' > > May 5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting to > > no access for node002 > > > [...] > > >> It doesn't map to a filepath. Access is controlled via auth.conf. You > >> should have a section similar to: > > >> # allow nodes to retrieve their own catalog (ie their configuration) > >> path ~ ^/catalog/([^/]+)$ > >> method find > >> allow $1 > > > Ok, auth.conf was missing. But I copied the gems default conf file and > > it's still not working. > > >> Since you should not need to change it, I'm wondering do you have the > >> following [master] section in puppet.conf? > >> ssl_client_header = SSL_CLIENT_S_DN > >> ssl_client_verify_header = SSL_CLIENT_VERIFY > > > No. There is no [master] section at all. And also in all example confs > > there is no [master] section. Btw. this is version 2.6.4. > > > regards, Andreas
So in the puppet.conf I have, those ssl_client_* settings are actually in the [user] section. I'm not 100% sure if that's correct but I'm running 2.6.8 on mine and that appears to be one of the magic bits needed. Also in your apache config, add # The following client headers allow the same configuration to work with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e That seems to be the other bit that actually passes the authentication down the chain to puppet. -Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.