Hello Jeff, Thank you for your reply. It pointed me in the right direction.
Regarding 'proxy_set_header', I don't believe this directive has an effect on passenger. For passenger, I believe the 'passenger_set_cgi_param' directive must be used instead. My mistake was using the wrong parameter. While HTTP_X_CLIENT_* will work for 'proxy_set_header', I think you need to use SSL_CLIENT_* parameters for 'passenger_set_cgi_param'. Here is the change in nginx.conf that solved the problem for me. # passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn; # passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify; passenger_set_cgi_param SSL_CLIENT_S_DN $ssl_client_s_dn; passenger_set_cgi_param SSL_CLIENT_VERIFY $ssl_client_verify; The puppet client is now able to connect normally. Regards, Jon On Jul 12, 10:44 am, Jeff McCune <j...@puppetlabs.com> wrote: > Are you sure you want to be using the passenger_set_cgi_param nginx > directive and not proxy_set_header? > > The problem definitely seems to be Puppet not picking up the values > that should be set in the HTTP_X_CLIENT_VERIFY and HTTP_X_CLIENT_DN > request headers. > > -Jeff > > > > > > > > On Thu, Jul 12, 2012 at 7:34 AM, Jon Jaroker <goo...@jaroker.com> wrote: > > > Hello, I have been stumped by an authentication / certificate problem > > and would like to know if anyone has resolved a similar issue. > > > My fresh install of Puppet Master 2.7.18 on Debian 6 works normally > > when run standalone, using 'puppet master --verbose --no-daemonize'. > > > When using nginx-passenger in front of the same puppet master, puppet > > fails with the authentication error: '… Forbidden request … access > > to /file_metadata/plugins [find] at line 57' > > > This failure occurs on the same node that had successfully connected > > to Puppet Master when it was run standalone. > > > The full log errors are here:http://pastebin.com/KH8Pyyw3 > > > I can work-around this authentication error by appending 'allow *' for > > 'path /' in the puppet master's auth.conf file. > > > Here is the Puppet Master auth.conf file I am > > using:http://pastebin.com/Ju0ke3rP > > > I don't think this workaround is correct: the default authentication > > policy should not allow access to un-authenticated nodes. > > > Here is my nginx.conf file:http://pastebin.com/q7HMuAZ0 > > > Here is the config.ru configuration file:http://pastebin.com/1aCdsTJE > > > Does anyone see what I am doing wrong? I have already tried deleting > > and recreating certificates for the agent and master. > > > Thank you, > > Jon > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group > > athttp://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
