Hey folks;
I am having issues retrieving the catalog from my master. It seems to be an
issue with the ACLs for the /certificate_revocation_list/ca, however it
still produces an error when I set the ACLs to allow everything! I am
almost certain it has something to do with my non-default installation.
Puppet gurus please assit me. Any and all advice would be helpful. P.S. I
have not had issues with Passenger up until I changed the installation root
except excessively long (400 sec) SSL sessions for initial runs.
I am running an agent/master configuration with passenger (CentOS 6.2). I
installed puppet from source and my file structure looks like this:
/opt/puppet
- /opt/puppet/etc
- /opt/puppet/etc/puppet
- /opt/puppet/usr
- /opt/puppet/usr/bin
- /opt/puppet/usr/sbin
- /opt/puppet/usr/share
- /opt/puppet/var
- /opt/puppet/var/ssl
My master is able to receive and complete the certificate handshake
process. On an agent, after having received confirmation that the
handshake completed, it attempts to find /certificate_revocation_list/ca
but fails. It produces this error (full trace):
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:56:in `deserialize'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'
/usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:230:in `ssl_store'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in `cert_setup'
/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:98:in
`http_instance'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:71:in `network'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find'
/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:240:in
`retrieve_new_catalog'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:403:in `thinmark'
/usr/lib/ruby/1.8/benchmark.rb:308:in `realtime'
/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:402:in `thinmark'
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:239:in
`retrieve_new_catalog'
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:86:in `retrieve_catalog'
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:111:in
`retrieve_and_apply_catalog'
/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:150:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/1.8/sync.rb:230:in `synchronize'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:103:in `with_client'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `call'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `controlled_run'
/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime'
/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in `run_command'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:420:in `hook'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:411:in `exit_on_fail'
/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'
/usr/sbin/puppetd:4
err: Could not retrieve catalog from remote server: Error 403 on SERVER:
Forbidden request: hostname.fqdn.int (NNN.NNN.NNN.NNN) access to
/certificate_revocation_list/ca [find] at line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
The syslog on the master produces this error:
Aug 8 10:10:16 eng-puppet-vm2 puppet-master[15352]: Forbidden request:
hostname.fqdn.int (NNN.NNN.NNN.NNN) access to
/certificate_revocation_list/ca [find] at line 0
Here is a look at my configurations:
auth.conf
path /facts
method find,search
auth yes
allow hostname.fqdn.int
path ~ ^/catalog/([^/]+)$
method find
allow $1
path /certificate_revocation_list/ca
method find
allow *
path /report
method save
allow *.fqdn.int
allow NNN.NNN.NNN.NNN/16
path /file
allow *
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
path /certificate_request
auth no
method find, save
allow *
path /
auth any
puppet.conf
[main]
server = hostname.fqdn.int
logdir = /var/log/puppet
puppetdlog = /var/log/puppet/puppet.log
rundir = /var/run/puppet
#ssldir = $vardir/ssl:/etc/puppet/ssl
modulepath = /opt/puppet/etc/puppet/modules:/usr/share/puppet/modules
runinterval=900
[master]
ssldir = /opt/puppet/var/ssl
facts_terminus = yaml
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
[agent]
classfile = $vardir/classes.txt
clientbucketdir = $vardir/client_bucket
clientyamldir = $vardir/client_yaml
ssldir = $vardir/ssl
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/TzboYhGnqGQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
