[Puppet Users] Re: 403 Forbidden with Passenger
I'm having the same problem, but I never saw a solution in this thread. I've been over the permissions for config.ru and /var/lib/puppet about a 1000 times and can't see any permissions problems. -rw---. 1 puppet puppet 431 Jun 18 00:07 /etc/puppet/rack/config.ru (I've also tried 700, 770, 777, and 660. I tried changing ownership to apache.apache, puppet.apache, and apache.puppet.) $~ ll /var/lib/puppet/ drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 bucket drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 facts drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 lib drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 reports drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 rrd drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 server_data drwxrwx---. 8 puppet puppet 4096 Jun 18 00:09 ssl drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 state drwxrwx---. 4 puppet puppet 4096 Jun 18 01:12 yaml Setenforce is 0. I even went so far as to use PassengerUser puppet and PaasengerGroup puppet in my vhost, but that didn't help (and has been removed). Could someone please help me? Thanks, Justin On Wednesday, May 30, 2012 12:17:59 PM UTC-5, Michael Altfield wrote: Hello Puppet gurus, I'm trying to setup a Puppet environment on CentOS 6. I got it working using WEBrick, but when I finally got Puppet running through Apache using Passenger, my Puppet node gets this 403 Forbidden response (full output is attached as node.txt): [root@puppetnode-01 ~]# puppetd --waitforcert 30 --server puppetmaster.mydomain.com --debug --verbose --test ... warning: peer certificate won't be verified in this SSL session err: Could not request certificate: Error 403 on SERVER: !DOCTYPE HTML PUBLIC -//IETF//DTD HTML 2.0//EN htmlhead title403 Forbidden/title /headbody h1Forbidden/h1 pYou don't have permission to access /production/certificate/ca on this server./p hr addressApache/2.2.15 (CentOS) Server at puppetmaster.mydomain.com Port 8140/address /body/html At the same time, the httpd logs show this: [root@dx-puppetmaster-01 ~]# tail -f /var/log/httpd/* ... == /var/log/httpd/error_log == [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155] (13)Permission denied: access to /production/certificate/ca denied == /var/log/httpd/access_log == 10.230.100.155 - - [30/May/2012:12:46:21 -0400] GET /production/certificate/ca? HTTP/1.1 403 325 - - The steps I used to install Puppet mostly followed the attached install.sh script (with slight modifications). I've also tried to follow this install guidehttp://www.tomhayman.co.uk/linux/install-puppet-passenger-centos-6-part/ to no avail. Although I have not modified my /etc/httpd/conf/httpd.conf file, I've attached it for reference. I've also attached /etc/httpd/conf.d/passenger.conf and /usr/share/puppet/rack/puppetmasterd/ config.ru. config.ru's perms are 600 puppet:root. Both of these machines are virtualized using Citrix XenServer. Here's some more info on these boxes: [root@puppetmaster-01 ~]# cat /etc/redhat-release CentOS release 6.2 (Final) [root@puppetmaster-01 ~]# uname -a Linux puppetmaster-01.datalex.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed Mar 7 00:52:02 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux Any help will be greatly appreciated! :) -- You received this message because you are subscribed to the Google Groups Puppet Users group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/3A-FoU9nGokJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Re: 403 Forbidden with Passenger
jbrown, Sorry for not posting my solution. I've been working on this install for weeks, and I *did* overcome this error, but I've had to overcome so many errors, I can't recall the exact fix. iirc, the solution might have been installing rubygem-rack through yum as opposed to gems. In any case, here's the commands I have come up with to successfully install Puppet Master puppet-dashboard on CentOS 6.2. (Note: this is incomplete: I'm still working on getting the Inventory Service up and running, and this install procedure still needs some hardening). FWIW: # run this on just the Puppet Master, which should be running CentOS 6 # Generate Entropy for random-seed from Gold Image for Cert Generation wget -O /var/lib/random-seed http://www.random.org/cgi-bin/randbyte?nbytes=200 # Configure DNS echo 10.10.10.2 dashboard puppet /etc/hosts # skip this if DNS is setup properly echo 10.10.10.3 puppetnode-01 puppetnode-01.mydomain.com /etc/hosts echo 10.10.10.4 puppetnode-02 puppetnode-02.mydomain.com /etc/hosts # … # Add Repository - yum.puppetlabs.com cat /etc/yum.repos.d/puppetlabs.repo DELIM [puppetlabs] name=puppetlabs enabled=1 baseurl=http://yum.puppetlabs.com/el/6/products/x86_64/ gpgcheck=0 DELIM # Add Repository - EPEL rpm -ivh https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm # Apply Changes to yum yum -y update # Install Dependencies - yum yum -y install gcc-c++ make httpd httpd-devel mod_ssl puppet ruby-devel rubygem-rack curl-devel openssl-devel zlib-devel # Install Dependencies - passenger # this next command tends to fail 10% of the time with ERROR: http://rubygems.org/ does not appear to be a repository. If this happens, just try again in a few minutes. The website is probably experiencing overload. gem install passenger passenger-install-apache2-module -a # Configure Puppet # create backup cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.`date +%Y%m%d%H%M%S`.orig # clobber old puppet.conf cat /etc/puppet/puppet.conf DELIM [main] logdir = /var/log/puppet vardir = /var/lib/puppet confdir = /etc/puppet ssldir = /var/lib/puppet/ssl rundir = /var/run/puppet factpath = $vardir/lib/facter templatedir = $confdir/templates [master] certname = 12345 dns_alt_names = puppet,dashboard,1234,12345 ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY reports = store, http reporturl = http://12345:8080/reports/upload [agent] server = dashboard report = true [cert] autosign = false DELIM # replace all instances of 12345 in puppet.conf with the FQDN sed -e s,12345,`hostname`,g -i /etc/puppet/puppet.conf # Puppet Master config.ru - Create mkdir -p /usr/share/puppet/rack/puppetmasterd mkdir /usr/share/puppet/rack/puppetmasterd/public mkdir /usr/share/puppet/rack/puppetmasterd/tmp cat /usr/share/puppet/rack/puppetmasterd/config.ru DELIM ARGV --rack require 'puppet/application/master' run Puppet::Application[:master].run #eof DELIM # Puppet Master config.ru - Permissons chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru # Configure puppet-master.conf - Apache vhost cat /etc/httpd/conf.d/puppet-master.conf DELIM ## Puppetmaster Apache Vhost Configuration # Update the paths of the next 2 lines to match your installed version of passenger LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13/ext/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13 PassengerRuby /usr/bin/ruby ## Passenger Limits PassengerHighPerformance On PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 PassengerMaxRequests 1000 PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off Listen 8140 VirtualHost *:8140 ServerName puppetmaster-01.mydomain.com SSLEngine on SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLCertificateFile /var/lib/puppet/ssl/certs/12345.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/12345.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem ## CRL checking should be enabled; if you have problems with ## Apache complaining about the CRL, disable the next line SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars ## The following client headers allow the same configuration ## to work with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e RackAutoDetect On DocumentRoot /usr/share/puppet/rack/puppetmasterd/public Directory /usr/share/puppet/rack/puppetmasterd Options None AllowOverride None Order allow,deny allow from all /Directory /VirtualHost DELIM # replace all instances of 12345 in puppet-master.conf with the hostname sed -e s,12345,`hostname`,g -i /etc/httpd/conf.d/puppet-master.conf # Generate Puppet Master Certificates # run this command to generate the puppet master certificates. Once you
[Puppet Users] Re: 403 Forbidden with Passenger
Michael, Thanks for the quick response. I'll take a closer look at the instructions and see if they work in my environment. I appreciate the thoughtful reply. Cheers, Justin On Monday, June 18, 2012 12:31:28 PM UTC-5, Michael Altfield wrote: jbrown, Sorry for not posting my solution. I've been working on this install for weeks, and I *did* overcome this error, but I've had to overcome so many errors, I can't recall the exact fix. iirc, the solution might have been installing rubygem-rack through yum as opposed to gems. In any case, here's the commands I have come up with to successfully install Puppet Master puppet-dashboard on CentOS 6.2. (Note: this is incomplete: I'm still working on getting the Inventory Service up and running, and this install procedure still needs some hardening). FWIW: # run this on just the Puppet Master, which should be running CentOS 6 # Generate Entropy for random-seed from Gold Image for Cert Generation wget -O /var/lib/random-seed http://www.random.org/cgi-bin/randbyte?nbytes=200 # Configure DNS echo 10.10.10.2 dashboard puppet /etc/hosts # skip this if DNS is setup properly echo 10.10.10.3 puppetnode-01 puppetnode-01.mydomain.com /etc/hosts echo 10.10.10.4 puppetnode-02 puppetnode-02.mydomain.com /etc/hosts # … # Add Repository - yum.puppetlabs.com cat /etc/yum.repos.d/puppetlabs.repo DELIM [puppetlabs] name=puppetlabs enabled=1 baseurl=http://yum.puppetlabs.com/el/6/products/x86_64/ gpgcheck=0 DELIM # Add Repository - EPEL rpm -ivh https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm # Apply Changes to yum yum -y update # Install Dependencies - yum yum -y install gcc-c++ make httpd httpd-devel mod_ssl puppet ruby-devel rubygem-rack curl-devel openssl-devel zlib-devel # Install Dependencies - passenger # this next command tends to fail 10% of the time with ERROR: http://rubygems.org/ does not appear to be a repository. If this happens, just try again in a few minutes. The website is probably experiencing overload. gem install passenger passenger-install-apache2-module -a # Configure Puppet # create backup cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.`date +%Y%m%d%H%M%S`.orig # clobber old puppet.conf cat /etc/puppet/puppet.conf DELIM [main] logdir = /var/log/puppet vardir = /var/lib/puppet confdir = /etc/puppet ssldir = /var/lib/puppet/ssl rundir = /var/run/puppet factpath = $vardir/lib/facter templatedir = $confdir/templates [master] certname = 12345 dns_alt_names = puppet,dashboard,1234,12345 ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY reports = store, http reporturl = http://12345:8080/reports/upload [agent] server = dashboard report = true [cert] autosign = false DELIM # replace all instances of 12345 in puppet.conf with the FQDN sed -e s,12345,`hostname`,g -i /etc/puppet/puppet.conf # Puppet Master config.ru - Create mkdir -p /usr/share/puppet/rack/puppetmasterd mkdir /usr/share/puppet/rack/puppetmasterd/public mkdir /usr/share/puppet/rack/puppetmasterd/tmp cat /usr/share/puppet/rack/puppetmasterd/config.ru DELIM ARGV --rack require 'puppet/application/master' run Puppet::Application[:master].run #eof DELIM # Puppet Master config.ru - Permissons chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru # Configure puppet-master.conf - Apache vhost cat /etc/httpd/conf.d/puppet-master.conf DELIM ## Puppetmaster Apache Vhost Configuration # Update the paths of the next 2 lines to match your installed version of passenger LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13/ext/apache2/mod_passenger.so PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13 PassengerRuby /usr/bin/ruby ## Passenger Limits PassengerHighPerformance On PassengerMaxPoolSize 12 PassengerPoolIdleTime 1500 PassengerMaxRequests 1000 PassengerStatThrottleRate 120 RackAutoDetect Off RailsAutoDetect Off Listen 8140 VirtualHost *:8140 ServerName puppetmaster-01.mydomain.com SSLEngine on SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA SSLCertificateFile /var/lib/puppet/ssl/certs/12345.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/12345.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem ## CRL checking should be enabled; if you have problems with ## Apache complaining about the CRL, disable the next line SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars ## The following client headers allow the same configuration ## to work with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e RackAutoDetect On DocumentRoot /usr/share/puppet/rack/puppetmasterd/public Directory