jbrown, Sorry for not posting my solution. I've been working on this install for weeks, and I *did* overcome this error, but I've had to overcome so many errors, I can't recall the exact fix. iirc, the solution might have been installing rubygem-rack through yum as opposed to gems.
In any case, here's the commands I have come up with to successfully install Puppet Master & puppet-dashboard on CentOS 6.2. (Note: this is incomplete: I'm still working on getting the Inventory Service up and running, and this install procedure still needs some hardening). FWIW: # run this on just the Puppet Master, which should be running CentOS 6 # Generate Entropy for random-seed from Gold Image for Cert Generation wget -O /var/lib/random-seed http://www.random.org/cgi-bin/randbyte?nbytes=200 # Configure DNS echo "10.10.10.2 dashboard puppet" >> /etc/hosts # skip this if DNS is setup properly echo "10.10.10.3 puppetnode-01 puppetnode-01.mydomain.com" >> /etc/hosts echo "10.10.10.4 puppetnode-02 puppetnode-02.mydomain.com" >> /etc/hosts # … # Add Repository - yum.puppetlabs.com cat > /etc/yum.repos.d/puppetlabs.repo <<DELIM [puppetlabs] name=puppetlabs enabled=1 baseurl=http://yum.puppetlabs.com/el/6/products/x86_64/ gpgcheck=0 DELIM # Add Repository - EPEL rpm -ivh https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm # Apply Changes to yum yum -y update # Install Dependencies - yum yum -y install gcc-c++ make httpd httpd-devel mod_ssl puppet ruby-devel rubygem-rack curl-devel openssl-devel zlib-devel # Install Dependencies - passenger # this next command tends to fail 10% of the time with "ERROR: http://rubygems.org/ does not appear to be a repository". If this happens, just try again in a few minutes. The website is probably experiencing overload. gem install passenger passenger-install-apache2-module -a # Configure Puppet # create backup cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.`date "+%Y%m%d%H%M%S"`.orig # clobber old puppet.conf cat > /etc/puppet/puppet.conf << DELIM [main] logdir = /var/log/puppet vardir = /var/lib/puppet confdir = /etc/puppet ssldir = /var/lib/puppet/ssl rundir = /var/run/puppet factpath = $vardir/lib/facter templatedir = $confdir/templates [master] certname = 12345 dns_alt_names = puppet,dashboard,1234,12345 ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY reports = store, http reporturl = http://12345:8080/reports/upload [agent] server = dashboard report = true [cert] autosign = false DELIM # replace all instances of 12345 in puppet.conf with the FQDN sed -e s,12345,`hostname`,g -i /etc/puppet/puppet.conf # Puppet Master config.ru - Create mkdir -p /usr/share/puppet/rack/puppetmasterd mkdir /usr/share/puppet/rack/puppetmasterd/public mkdir /usr/share/puppet/rack/puppetmasterd/tmp cat > /usr/share/puppet/rack/puppetmasterd/config.ru <<DELIM ARGV << "--rack" require 'puppet/application/master' run Puppet::Application[:master].run #eof DELIM # Puppet Master config.ru - Permissons chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru # Configure puppet-master.conf - Apache vhost cat > /etc/httpd/conf.d/puppet-master.conf << DELIM ## Puppetmaster Apache Vhost Configuration # Update the paths of the next 2 lines to match your installed version of passenger LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13/ext/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13 PassengerRuby /usr/bin/ruby ## Passenger Limits PassengerHighPerformance On PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 PassengerMaxRequests 1000 PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off Listen 8140 <VirtualHost *:8140> ServerName puppetmaster-01.mydomain.com SSLEngine on SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLCertificateFile /var/lib/puppet/ssl/certs/12345.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/12345.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem ## CRL checking should be enabled; if you have problems with ## Apache complaining about the CRL, disable the next line SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars ## The following client headers allow the same configuration ## to work with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e RackAutoDetect On DocumentRoot /usr/share/puppet/rack/puppetmasterd/public <Directory "/usr/share/puppet/rack/puppetmasterd"> Options None AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost> DELIM # replace all instances of 12345 in puppet-master.conf with the hostname sed -e s,12345,`hostname`,g -i /etc/httpd/conf.d/puppet-master.conf # Generate Puppet Master Certificates # run this command to generate the puppet master certificates. Once you see the line: # "notice: Signed certificate request for puppetmaster-01.mydomain.com" # you should press ctrl+c to shutdown the WEBrick-powered puppet master process # and proceed with the installation below puppet master --verbose --no-daemonize --debug # Start Puppet Master in Apache service httpd start # Install puppet-dashboard Dependencies yum -y install ruby-mysql rubygem-rake mysql mysql-server # Install puppet-dashboard yum -y install puppet-dashboard # Start mysql server service mysqld start # Set mysql server's root password mysqladmin -u root password 'password' # Create production/development DB mysql -u root -p << DELIM CREATE DATABASE dashboard CHARACTER SET utf8; CREATE USER 'dashboard'@'localhost' IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON dashboard.* to 'dashboard'@'localhost'; DELIM # Configure puppet-dashboard - database.yml cd /usr/share/puppet-dashboard # create backup cp /usr/share/puppet-dashboard/config/database.yml /usr/share/puppet-dashboard/config/database.yml.`date "+%Y%m%d%H%M%S"`.orig # clobber old database.yml cat > /usr/share/puppet-dashboard/config/database.yml << DELIM production: adapter: mysql database: dashboard username: dashboard password: password encoding: utf8 development: adapter: mysql database: dashboard username: dashboard password: password encoding: utf8 test: adapter: mysql database: dashboard_test username: dashboard_test password: password encoding: utf8 DELIM # create DB tables rake db:migrate # Create settings.yml # create from example cp config/settings.yml.example config/settings.yml # modify sed "s^cn_name:.*^cn_name: 'dashboard'^" -i config/settings.yml #sed "s^ca_crl_path:.*^#ca_crl_path: ''^" -i config/settings.yml #sed "s^ca_certificate_path:.*^#ca_certificate_path: ''^" -i config/settings.yml #sed "s^certificate_path:.*^certificate_path: 'certs/puppet-dashboard.crt'^" -i config/settings.yml #sed "s^private_key_path:.*^private_key_path: 'certs/puppet-dashboard.prv'^" -i config/settings.yml #sed "s^public_key_path:.*^#public_key_path: ''^" -i config/settings.yml sed "s^ca_server:.*^ca_server: '`hostname`'^" -i config/settings.yml # Generate puppet-dashboard Keypair # TODO: min permissions chmod -R 777 /usr/lib/ruby/gems/1.8/gems/rake-* chmod 755 /usr/lib/ruby/gems/1.8/specifications/*.gemspec mkdir certs chown puppet-dashboard certs sudo -u puppet-dashboard rake cert:create_key_pair # Request puppet-dashboard Cert Signature from the Puppet Master # set some necessary permissions first chmod -R 755 /usr/share/puppet chown -R puppet:puppet-dashboard /usr/lib/ruby/gems/1.8/gems/passenger-* rake cert:request # Sign the puppet`hostname`-dashboard certs puppet cert sign dashboard # Retrieve remaining certificate files sudo -u puppet-dashboard rake cert:retrieve # Update external_node script (see Configuring puppet-dashboard) # create backup cp bin/external_node bin/external_node.`date "+%Y%m%d%H%M%S"`.orig # modify sed 's%^DASHBOARD_URL.*:.*%DASHBOARD_URL = "https://localhost:443"%' -i bin/external_node sed 's%^CERT_PATH.*%CERT_PATH = "/var/lib/puppet/ssl/certs/12345.pem"%' -i bin/external_node sed 's%^PKEY_PATH.*%PKEY_PATH = "/var/lib/puppet/ssl/private_keys/12345.pem"%' -i bin/external_node sed 's%^CA_PATH.*%CA_PATH = "/var/lib/puppet/ssl/certs/ca.pem"%' -i bin/external_node # replace all instances of 12345 with the hostname sed -e s,12345,`hostname`,g -i bin/external_node # Disable ssl.conf vhost so that puppet-dashboard is the only *:443 vhost # remove the <VritualHost … </VirtualHost> stanza entirely cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.`date "+%Y%m%d%H%M%S"`.orig vim /etc/httpd/conf.d/ssl.conf # Configure puppet-dashboard.conf - Apache vhost cat > /etc/httpd/conf.d/puppet-dashboard.conf << DELIM ## puppet-dashboard Apache Vhost Configuration <VirtualHost *:443> SSLEngine On SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /usr/share/puppet-dashboard/certs/dashboard.cert.pem SSLCertificateKeyFile /usr/share/puppet-dashboard/certs/dashboard.private_key.pem SSLCACertificateFile /usr/share/puppet-dashboard/certs/dashboard.ca_cert.pem # If Apache complains about invalid signatures on the CRL, you can try disabling # CRL checking by commenting the next line, but this is not recommended SSLCARevocationFile /usr/share/puppet-dashboard/certs/dashboard.ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars RackAutoDetect On RackBaseURI / # If debugging, comment this next line to use the "development" env SetEnv RAILS_ENV production ServerName puppetmaster-01.mydomain.com DocumentRoot /usr/share/puppet-dashboard/public/ <Directory /usr/share/puppet-dashboard/public/> Options None AllowOverride None Order allow,deny Allow from all </Directory> # For report submission from masters. <Location /reports/upload> <Limit POST> # Configuration restricts HTTP actions to POST only Order allow,deny Allow from 127.0.0.1 Allow from all Satisfy any </Limit> </Location> # For node definitions from masters. <Location /nodes> <Limit GET> # Configuration restricts HTTP actions to GET only Order allow,deny Allow from 127.0.0.1 Allow from all Satisfy any </Limit> </Location> # For web access by humans. <Location / > Order allow,deny Satisfy any AuthName "Puppet Dashboard" AuthType Basic AuthUserFile /usr/share/puppet-dashboard/.htpasswd Require valid-user </Location> ServerSignature On # Logs ErrorLog /var/log/httpd/puppet-dashboard_error.log LogLevel warn CustomLog /var/log/httpd/puppet-dashboard_access.log combined CustomLog /var/log/httpd/puppet-dashboard_ssl-request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> # This redundant vhost is a hack that allows the puppet master to submit reports # over http (see this thread for more info: # https://groups.google.com/forum/?fromgroups#!topic/puppet-users/7EmUtw87-pw/discussion ) # DO NOT USE THIS CONFIGURATION IF YOUR PUPPET MASTER IS NOT ON THE SAME SERVER # AS PUPPET-DASHBOARD! If these 2 services are on different machines, you will # be sending all your report data unencrypted across the network. # Also, DON'T FORGET TO CONFIGURE YOUR LOCAL FIREWALL to block all access to # port 8080, except from 127.0.0.1 Listen 8080 <VirtualHost *:8080> RackAutoDetect On RackBaseURI / # If debugging, comment this next line to use the "development" env SetEnv RAILS_ENV production ServerName puppetmaster-01.mydomain.com DocumentRoot /usr/share/puppet-dashboard/public/ <Directory /usr/share/puppet-dashboard/public/> Options None AllowOverride None Order allow,deny Allow from all </Directory> ServerSignature On # Logs ErrorLog /var/log/httpd/puppet-dashboard-8080.log LogLevel warn CustomLog /var/log/httpd/puppet-dashboard-8080.log combined CustomLog /var/log/httpd/puppet-dashboard-8080-request.log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> DELIM # Create .htpasswd file for Basic Apache Auth to puppet-dashboard htpasswd -c /usr/share/puppet-dashboard/.htpasswd hosting # puppet-dashboard config.ru # TODO: determine if this is necessary cp /usr/share/puppet-dashboard/vendor/rails/railties/dispatches/config.ru /usr/share/puppet-dashboard/ chown puppet-dashboard:puppet-dashboard /usr/share/puppet-dashboard/config.ru # Optimize - mysql # (increase mysql's max_allowed_packet to 32 megabytes) see official puppet-dashboard install guide sed 's/\[mysqld_safe\]/max_allowed_packet = 32M\n\n\[mysql_safe\]/' --in-place=.`date "+%Y%m%d%H%M%S"`.orig /etc/my.cnf # apply configuration changes service mysqld restart # Configure iptables # TODO iptables -F # Disable Puppet-related Daemons /etc/init.d/puppet stop /etc/init.d/puppet-dashboard stop /etc/init.d/httpd stop # Prevent WEBrick-powered services from starting on boot chkconfig puppet off chkconfig puppet-dashboard off # Make necessary services start on boot chkconfig puppet-dashboard-workers on chkconfig httpd on # Restart Apache to start puppet-dashboard service httpd restart # Start the puppet-dashboard-workers process service puppet-dashboard-workers start # Finally, Start the Puppet Master's own Puppet Node process service puppet start On Monday, June 18, 2012 12:11:38 PM UTC-4, jbrown wrote: > > I'm having the same problem, but I never saw a solution in this thread. > I've been over the permissions for config.ru and /var/lib/puppet about a > 1000 times and can't see any permissions problems. > > -rw-------. 1 puppet puppet 431 Jun 18 00:07 /etc/puppet/rack/config.ru > (I've also tried 700, 770, 777, and 660. I tried changing ownership to > apache.apache, puppet.apache, and apache.puppet.) > > $~ ll /var/lib/puppet/ > drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 bucket > drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 facts > drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 lib > drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 reports > drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 rrd > drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 server_data > drwxrwx---. 8 puppet puppet 4096 Jun 18 00:09 ssl > drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 state > drwxrwx---. 4 puppet puppet 4096 Jun 18 01:12 yaml > > Setenforce is 0. > > I even went so far as to use "PassengerUser puppet" and "PaasengerGroup > puppet" in my vhost, but that didn't help (and has been removed). > > Could someone please help me? > > Thanks, > Justin > > On Wednesday, May 30, 2012 12:17:59 PM UTC-5, Michael Altfield wrote: >> >> Hello Puppet gurus, >> >> I'm trying to setup a Puppet environment on CentOS 6. I got it working >> using WEBrick, but when I finally got Puppet running through Apache using >> Passenger, my Puppet node gets this "403 Forbidden" response (full output >> is attached as node.txt): >> >> [root@puppetnode-01 ~]# puppetd --waitforcert 30 --server >>>> puppetmaster.mydomain.com --debug --verbose --test >>> >>> ... >>> >>> warning: peer certificate won't be verified in this SSL session >>> >>> err: Could not request certificate: Error 403 on SERVER: <!DOCTYPE HTML >>>> PUBLIC "-//IETF//DTD HTML 2.0//EN"> >>> >>> <html><head> >>> >>> <title>403 Forbidden</title> >>> >>> </head><body> >>> >>> <h1>Forbidden</h1> >>> >>> <p>You don't have permission to access /production/certificate/ca >>> >>> on this server.</p> >>> >>> <hr> >>> >>> <address>Apache/2.2.15 (CentOS) Server at puppetmaster.mydomain.comPort >>> 8140</address> >>> >>> </body></html> >>> >>> >> At the same time, the httpd logs show this: >> >> [root@dx-puppetmaster-01 ~]# tail -f /var/log/httpd/* >>> >>> ... >>> >>> ==> /var/log/httpd/error_log <== >>> >>> [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155] >>>> (13)Permission denied: access to /production/certificate/ca denied >>> >>> >>>> ==> /var/log/httpd/access_log <== >>> >>> 10.230.100.155 - - [30/May/2012:12:46:21 -0400] "GET >>>> /production/certificate/ca? HTTP/1.1" 403 325 "-" "-" >>> >>> >> The steps I used to install Puppet mostly followed the attached >> install.sh script (with slight modifications). I've also tried to follow >> this >> install >> guide<http://www.tomhayman.co.uk/linux/install-puppet-passenger-centos-6-part/> >> to >> no avail. >> >> Although I have not modified my /etc/httpd/conf/httpd.conf file, I've >> attached it for reference. I've also attached >> /etc/httpd/conf.d/passenger.conf and /usr/share/puppet/rack/puppetmasterd/ >> config.ru. config.ru's perms are 600 puppet:root. >> >> Both of these machines are virtualized using Citrix XenServer. Here's >> some more info on these boxes: >> >> [root@puppetmaster-01 ~]# cat /etc/redhat-release >> CentOS release 6.2 (Final) >> >> [root@puppetmaster-01 ~]# uname -a >> Linux puppetmaster-01.datalex.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed >> Mar 7 00:52:02 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux >> >> Any help will be greatly appreciated! :) >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/XjTBWzNFyhsJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
