Hello Puppet gurus, I'm trying to setup a Puppet environment on CentOS 6. I got it working using WEBrick, but when I finally got Puppet running through Apache using Passenger, my Puppet node gets this "403 Forbidden" response (full output is attached as node.txt):
[root@puppetnode-01 ~]# puppetd --waitforcert 30 --server >> puppetmaster.mydomain.com --debug --verbose --test > > ... > > warning: peer certificate won't be verified in this SSL session > > err: Could not request certificate: Error 403 on SERVER: <!DOCTYPE HTML >> PUBLIC "-//IETF//DTD HTML 2.0//EN"> > > <html><head> > > <title>403 Forbidden</title> > > </head><body> > > <h1>Forbidden</h1> > > <p>You don't have permission to access /production/certificate/ca > > on this server.</p> > > <hr> > > <address>Apache/2.2.15 (CentOS) Server at puppetmaster.mydomain.com Port >> 8140</address> > > </body></html> > > At the same time, the httpd logs show this: [root@dx-puppetmaster-01 ~]# tail -f /var/log/httpd/* > > ... > > ==> /var/log/httpd/error_log <== > > [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155] (13)Permission >> denied: access to /production/certificate/ca denied > > >> ==> /var/log/httpd/access_log <== > > 10.230.100.155 - - [30/May/2012:12:46:21 -0400] "GET >> /production/certificate/ca? HTTP/1.1" 403 325 "-" "-" > > The steps I used to install Puppet mostly followed the attached install.sh script (with slight modifications). I've also tried to follow this install guide<http://www.tomhayman.co.uk/linux/install-puppet-passenger-centos-6-part/> to no avail. Although I have not modified my /etc/httpd/conf/httpd.conf file, I've attached it for reference. I've also attached /etc/httpd/conf.d/passenger.conf and /usr/share/puppet/rack/puppetmasterd/config.ru. config.ru's perms are 600 puppet:root. Both of these machines are virtualized using Citrix XenServer. Here's some more info on these boxes: [root@puppetmaster-01 ~]# cat /etc/redhat-release CentOS release 6.2 (Final) [root@puppetmaster-01 ~]# uname -a Linux puppetmaster-01.datalex.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed Mar 7 00:52:02 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux Any help will be greatly appreciated! :) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/od2vXGXfQqsJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[root@puppetnode-01 ~]# puppetd --waitforcert 30 --server puppetmaster.mydomain.com --debug --verbose --test debug: Failed to load library 'ldap' for feature 'ldap' debug: Puppet::Type::User::ProviderLdap: feature ldap is missing debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: Failed to load library 'rubygems' for feature 'rubygems' debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/public_keys/puppetnode-01.mydomain.com.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/client_data]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/lib/puppet/state] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private_keys/puppetnode-01.mydomain.com.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: Finishing transaction 69930350646060 debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/public_keys/puppetnode-01.mydomain.com.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private_keys/puppetnode-01.mydomain.com.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: Finishing transaction 69930350533440 warning: peer certificate won't be verified in this SSL session err: Could not request certificate: Error 403 on SERVER: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>403 Forbidden</title> </head><body> <h1>Forbidden</h1> <p>You don't have permission to access /production/certificate/ca on this server.</p> <hr> <address>Apache/2.2.15 (CentOS) Server at puppetmaster.mydomain.com Port 8140</address> </body></html>
#!/bin/bash # I downloaded this script from: https://privatepaste.com/download/b13e3362ab # It was recommended to me by someone on the #puppet IRC channel for installing # Puppet on CEOS 5. -maltfield #MACHINE IS KICKSTARTED, MEANING THERE IS NO ENTROPY TO GENERATE A RANDOM NUMBER #THIS WGET FIXES IT SO THAT WE CAN GENEARTE A CRYPTOGRAPHICALLY SOUND PUPPET CERT wget -O /var/lib/random-seed http://www.random.org/cgi-bin/randbyte?nbytes=200 -hup #EPEL to get us out of the dark ages #rpm -Uvh http://download.fedora.redhat.com/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm rpm -ivh http://mirror.chpc.utah.edu/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm #karan for ruby 187 cat > /etc/yum.repos.d/ruby187.repo <<EOF [kbs-el5-rb187] name=kbs-el5-rb187 enabled=1 baseurl=http://centos.karan.org/el5/ruby187/x86_64/ gpgcheck=1 gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt EOF #official version of puppet. cat > /etc/yum.repos.d/puppetlabs.repo <<DELIM [puppetlabs] name=puppetlabs enabled=1 baseurl=http://yum.puppetlabs.com/el/5/products/x86_64/ gpgcheck=0 DELIM yum update #Install needed packages yum install httpd mysql-devel.x86_64 mysql-server mysql mod_ssl.x86_64 ruby-devel.x86_64 httpd httpd-devel ruby.x86_64 ruby-augeas.x86_64 ruby-libs.x86_64 rubygems rubygem-rails rubygem-sqlite3-ruby gcc-c++ curl-devel openssl-devel zlib-devel puppet puppet-server foreman ruby-augeas.x86_64 augeas.x86_64 augeas-libs.x86_64 ruby-shadow.x86_64 rrdtool-ruby ruby-RRDtool graphviz gem install -v=3.0.11 passenger gem install -v=1.3.5 rack gem install mysql /usr/lib/ruby/gems/1.8/gems/passenger-3.0.11/bin/passenger-install-apache2-module #complete the passenger install. mkdir -p /usr/share/puppet/rack/puppetmasterd mkdir /usr/share/puppet/rack/puppetmasterd/public mkdir /usr/share/puppet/rack/puppetmasterd/tmp #config file for running puppet when called by passenger/apache cat > /usr/share/puppet/rack/puppetmasterd/config.ru <<DELIM ARGV << "--rack" require 'puppet/application/master' run Puppet::Application[:master].run #eof DELIM chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru #run puppet once without passenger, needed to generate initial certificates. /etc/init.d/puppetmaster stop /etc/init.d/httpd stop chkconfig puppetmaster off puppet master --verbose --no-daemonize --debug #now its time to configure apache to call passenger which calles the config.ru above which triggers the puppet-master cat > /etc/httpd/conf.d/passenger.conf << DELIM Listen 8140 <VirtualHost *:8140> SSLEngine on SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLCertificateFile /var/lib/puppet/ssl/certs/12345.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/12345.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem ## CRL checking should be enabled; if you have problems with ## Apache complaining about the CRL, disable the next line SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.11/ext/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.11 PassengerRuby /usr/bin/ruby # The following client headers allow the same configuration to work with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e RackAutoDetect On DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/ <Directory /usr/share/puppet/rack/puppetmasterd/> Options None AllowOverride None Order allow,deny allow from all AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost> DELIM #fix the value 12345 in the file inserted above. host_name=`hostname` echo $host_name sed -e s,12345,$host_name,g -i /etc/httpd/conf.d/passenger.conf #start passenger setenforce permissive iptables -F /etc/init.d/httpd stop /etc/init.d/httpd start #make certain that puppetmaster continues to run under passenger chkconfig httpd on echo "is puppet running through passenger?" netstat -plunt | grep 8140 echo "tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN 3944/httpd "
httpd.conf
Description: Binary data
passenger.conf
Description: Binary data
config.ru
Description: Binary data
