subject:"\[Puppet Users\] Re\: 403 Forbidden with Passenger"

[Puppet Users] Re: 403 Forbidden with Passenger

2012-06-18 Thread jbrown

I'm having the same problem, but I never saw a solution in this thread. 
I've been over the permissions for config.ru and /var/lib/puppet about a 
1000 times and can't see any permissions problems.

-rw---. 1 puppet puppet 431 Jun 18 00:07 /etc/puppet/rack/config.ru
(I've also tried 700, 770, 777, and 660. I tried changing ownership to 
apache.apache, puppet.apache, and apache.puppet.)

$~ ll /var/lib/puppet/
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 bucket
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 facts
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 lib
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 reports
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 rrd
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 server_data
drwxrwx---. 8 puppet puppet 4096 Jun 18 00:09 ssl
drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 state
drwxrwx---. 4 puppet puppet 4096 Jun 18 01:12 yaml

Setenforce is 0.

I even went so far as to use PassengerUser puppet and PaasengerGroup 
puppet in my vhost, but that didn't help (and has been removed).

Could someone please help me?

Thanks,
Justin

On Wednesday, May 30, 2012 12:17:59 PM UTC-5, Michael Altfield wrote:

 Hello Puppet gurus,

 I'm trying to setup a Puppet environment on CentOS 6. I got it working 
 using WEBrick, but when I finally got Puppet running through Apache using 
 Passenger, my Puppet node gets this 403 Forbidden response (full output 
 is attached as node.txt):

 [root@puppetnode-01 ~]# puppetd --waitforcert 30 --server 
 puppetmaster.mydomain.com --debug --verbose --test

 ...

 warning: peer certificate won't be verified in this SSL session

 err: Could not request certificate: Error 403 on SERVER: !DOCTYPE HTML 
 PUBLIC -//IETF//DTD HTML 2.0//EN

 htmlhead

 title403 Forbidden/title

 /headbody

 h1Forbidden/h1

 pYou don't have permission to access /production/certificate/ca

 on this server./p

 hr

 addressApache/2.2.15 (CentOS) Server at puppetmaster.mydomain.com Port 
 8140/address

 /body/html


 At the same time, the httpd logs show this:

 [root@dx-puppetmaster-01 ~]# tail -f /var/log/httpd/*

 ...

 == /var/log/httpd/error_log ==

 [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155] (13)Permission 
 denied: access to /production/certificate/ca denied


 == /var/log/httpd/access_log ==

 10.230.100.155 - - [30/May/2012:12:46:21 -0400] GET 
 /production/certificate/ca? HTTP/1.1 403 325 - -


 The steps I used to install Puppet mostly followed the attached install.sh 
 script (with slight modifications). I've also tried to follow this 
 install 
 guidehttp://www.tomhayman.co.uk/linux/install-puppet-passenger-centos-6-part/
  to 
 no avail.

 Although I have not modified my /etc/httpd/conf/httpd.conf file, I've 
 attached it for reference. I've also attached 
 /etc/httpd/conf.d/passenger.conf and /usr/share/puppet/rack/puppetmasterd/
 config.ru. config.ru's perms are 600 puppet:root.

 Both of these machines are virtualized using Citrix XenServer. Here's some 
 more info on these boxes:

 [root@puppetmaster-01 ~]# cat /etc/redhat-release
 CentOS release 6.2 (Final)

 [root@puppetmaster-01 ~]# uname -a
 Linux puppetmaster-01.datalex.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed 
 Mar 7 00:52:02 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux

 Any help will be greatly appreciated! :)


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/puppet-users/-/3A-FoU9nGokJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Re: 403 Forbidden with Passenger

2012-06-18 Thread Michael Altfield

jbrown,

Sorry for not posting my solution. I've been working on this install for 
weeks, and I *did* overcome this error, but I've had to overcome so many 
errors, I can't recall the exact fix. iirc, the solution might have been 
installing rubygem-rack through yum as opposed to gems.

In any case, here's the commands I have come up with to successfully 
install Puppet Master  puppet-dashboard on CentOS 6.2. (Note: this is 
incomplete: I'm still working on getting the Inventory Service up and 
running, and this install procedure still needs some hardening). FWIW:

# run this on just the Puppet Master, which should be running CentOS 6

# Generate Entropy for random-seed from Gold Image for Cert Generation

wget -O /var/lib/random-seed 
http://www.random.org/cgi-bin/randbyte?nbytes=200
# Configure DNS

echo 10.10.10.2 dashboard puppet  /etc/hosts

# skip this if DNS is setup properly
echo 10.10.10.3 puppetnode-01 puppetnode-01.mydomain.com  /etc/hosts
echo 10.10.10.4 puppetnode-02 puppetnode-02.mydomain.com  /etc/hosts
# …
# Add Repository - yum.puppetlabs.com

cat  /etc/yum.repos.d/puppetlabs.repo DELIM
[puppetlabs]
name=puppetlabs
enabled=1
baseurl=http://yum.puppetlabs.com/el/6/products/x86_64/
gpgcheck=0

DELIM
# Add Repository - EPEL

rpm -ivh 
https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

# Apply Changes to yum
yum -y update
# Install Dependencies - yum

yum -y install gcc-c++ make httpd httpd-devel mod_ssl puppet ruby-devel 
rubygem-rack curl-devel openssl-devel zlib-devel
# Install Dependencies - passenger

# this next command tends to fail 10% of the time with ERROR: 
http://rubygems.org/ does not appear to be a repository. If this happens, 
just try again in a few minutes. The website is probably experiencing 
overload.
gem install passenger
passenger-install-apache2-module -a
# Configure Puppet

# create backup
cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.`date 
+%Y%m%d%H%M%S`.orig

# clobber old puppet.conf
cat  /etc/puppet/puppet.conf  DELIM
[main]
logdir = /var/log/puppet
vardir = /var/lib/puppet
confdir = /etc/puppet
ssldir = /var/lib/puppet/ssl
rundir = /var/run/puppet
factpath = $vardir/lib/facter
templatedir = $confdir/templates

[master]
certname = 12345
dns_alt_names = puppet,dashboard,1234,12345
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

reports = store, http
reporturl = http://12345:8080/reports/upload

[agent]
server = dashboard
report = true

[cert]
autosign = false

DELIM

# replace all instances of 12345 in puppet.conf with the FQDN
sed -e s,12345,`hostname`,g -i /etc/puppet/puppet.conf
# Puppet Master config.ru - Create

mkdir -p /usr/share/puppet/rack/puppetmasterd
mkdir /usr/share/puppet/rack/puppetmasterd/public
mkdir /usr/share/puppet/rack/puppetmasterd/tmp

cat  /usr/share/puppet/rack/puppetmasterd/config.ru DELIM
ARGV  --rack
require 'puppet/application/master'
run Puppet::Application[:master].run
#eof

DELIM
# Puppet Master config.ru - Permissons 

chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru
# Configure puppet-master.conf - Apache vhost

cat  /etc/httpd/conf.d/puppet-master.conf  DELIM
## Puppetmaster Apache Vhost Configuration

# Update the paths of the next 2 lines to match your installed version of 
passenger
LoadModule passenger_module 
/usr/lib/ruby/gems/1.8/gems/passenger-3.0.13/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13
PassengerRuby /usr/bin/ruby

## Passenger Limits
PassengerHighPerformance On
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Listen 8140

VirtualHost *:8140
ServerName puppetmaster-01.mydomain.com

SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA

SSLCertificateFile /var/lib/puppet/ssl/certs/12345.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/12345.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem

## CRL checking should be enabled; if you have problems with
## Apache complaining about the CRL, disable the next line
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars

## The following client headers allow the same configuration
## to work with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

RackAutoDetect On

DocumentRoot /usr/share/puppet/rack/puppetmasterd/public

Directory /usr/share/puppet/rack/puppetmasterd
Options None
AllowOverride None
Order allow,deny
allow from all
/Directory
/VirtualHost

DELIM

# replace all instances of 12345 in puppet-master.conf with the hostname
sed -e s,12345,`hostname`,g -i /etc/httpd/conf.d/puppet-master.conf
# Generate Puppet Master Certificates

# run this command to generate the puppet master certificates. Once you

[Puppet Users] Re: 403 Forbidden with Passenger

2012-06-18 Thread jbrown

Michael,

Thanks for the quick response. I'll take a closer look at the instructions 
and see if they work in my environment. 

I appreciate the thoughtful reply.

Cheers,
Justin

On Monday, June 18, 2012 12:31:28 PM UTC-5, Michael Altfield wrote:

 jbrown,

 Sorry for not posting my solution. I've been working on this install for 
 weeks, and I *did* overcome this error, but I've had to overcome so many 
 errors, I can't recall the exact fix. iirc, the solution might have been 
 installing rubygem-rack through yum as opposed to gems.

 In any case, here's the commands I have come up with to successfully 
 install Puppet Master  puppet-dashboard on CentOS 6.2. (Note: this is 
 incomplete: I'm still working on getting the Inventory Service up and 
 running, and this install procedure still needs some hardening). FWIW:

 # run this on just the Puppet Master, which should be running CentOS 6

 # Generate Entropy for random-seed from Gold Image for Cert Generation

 wget -O /var/lib/random-seed 
 http://www.random.org/cgi-bin/randbyte?nbytes=200
 # Configure DNS

 echo 10.10.10.2 dashboard puppet  /etc/hosts

 # skip this if DNS is setup properly
 echo 10.10.10.3 puppetnode-01 puppetnode-01.mydomain.com  /etc/hosts
 echo 10.10.10.4 puppetnode-02 puppetnode-02.mydomain.com  /etc/hosts
 # …
 # Add Repository - yum.puppetlabs.com

 cat  /etc/yum.repos.d/puppetlabs.repo DELIM
 [puppetlabs]
 name=puppetlabs
 enabled=1
 baseurl=http://yum.puppetlabs.com/el/6/products/x86_64/
 gpgcheck=0

 DELIM
 # Add Repository - EPEL

 rpm -ivh 
 https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm

 # Apply Changes to yum
 yum -y update
 # Install Dependencies - yum

 yum -y install gcc-c++ make httpd httpd-devel mod_ssl puppet ruby-devel 
 rubygem-rack curl-devel openssl-devel zlib-devel
 # Install Dependencies - passenger

 # this next command tends to fail 10% of the time with ERROR: 
 http://rubygems.org/ does not appear to be a repository. If this 
 happens, just try again in a few minutes. The website is probably 
 experiencing overload.
 gem install passenger
 passenger-install-apache2-module -a
 # Configure Puppet

 # create backup
 cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.`date 
 +%Y%m%d%H%M%S`.orig

 # clobber old puppet.conf
 cat  /etc/puppet/puppet.conf  DELIM
 [main]
 logdir = /var/log/puppet
 vardir = /var/lib/puppet
 confdir = /etc/puppet
 ssldir = /var/lib/puppet/ssl
 rundir = /var/run/puppet
 factpath = $vardir/lib/facter
 templatedir = $confdir/templates

 [master]
 certname = 12345
 dns_alt_names = puppet,dashboard,1234,12345
 ssl_client_header = SSL_CLIENT_S_DN
 ssl_client_verify_header = SSL_CLIENT_VERIFY

 reports = store, http
 reporturl = http://12345:8080/reports/upload

 [agent]
 server = dashboard
 report = true

 [cert]
 autosign = false

 DELIM

 # replace all instances of 12345 in puppet.conf with the FQDN
 sed -e s,12345,`hostname`,g -i /etc/puppet/puppet.conf
 # Puppet Master config.ru - Create

 mkdir -p /usr/share/puppet/rack/puppetmasterd
 mkdir /usr/share/puppet/rack/puppetmasterd/public
 mkdir /usr/share/puppet/rack/puppetmasterd/tmp

 cat  /usr/share/puppet/rack/puppetmasterd/config.ru DELIM
 ARGV  --rack
 require 'puppet/application/master'
 run Puppet::Application[:master].run
 #eof

 DELIM
 # Puppet Master config.ru - Permissons 

 chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru
 # Configure puppet-master.conf - Apache vhost

 cat  /etc/httpd/conf.d/puppet-master.conf  DELIM
 ## Puppetmaster Apache Vhost Configuration

 # Update the paths of the next 2 lines to match your installed version of 
 passenger
 LoadModule passenger_module 
 /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13/ext/apache2/mod_passenger.so
 PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13
 PassengerRuby /usr/bin/ruby

 ## Passenger Limits
 PassengerHighPerformance On
 PassengerMaxPoolSize 12
 PassengerPoolIdleTime 1500
 PassengerMaxRequests 1000
 PassengerStatThrottleRate 120
 RackAutoDetect Off
 RailsAutoDetect Off

 Listen 8140

 VirtualHost *:8140
 ServerName puppetmaster-01.mydomain.com

 SSLEngine on
 SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA

 SSLCertificateFile /var/lib/puppet/ssl/certs/12345.pem
 SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/12345.pem
 SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
 SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem

 ## CRL checking should be enabled; if you have problems with
 ## Apache complaining about the CRL, disable the next line
 SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
 SSLVerifyClient optional
 SSLVerifyDepth 1
 SSLOptions +StdEnvVars

 ## The following client headers allow the same configuration
 ## to work with Pound.
 RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
 RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
 RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

 RackAutoDetect On

 DocumentRoot /usr/share/puppet/rack/puppetmasterd/public

 Directory

[Puppet Users] Re: 403 Forbidden with Passenger

[Puppet Users] Re: 403 Forbidden with Passenger

[Puppet Users] Re: 403 Forbidden with Passenger

3 matches

Site Navigation

Mail list logo

Footer information