Re: [Puppet Users] Puppet with Passenger - 403 Forbidden
On 12/03/13 09:09, Gavin Williams wrote: Morning all Am in the process of testing a migration of Puppet 3 from webrick to Puppet. Have found the foreman modules (https://github.com/theforeman) which seems to take care of a lot of the leg-work... However having got Puppet running with Passenger in Apache, whenever trying to access the Puppet master from a client, I was getting a '403 Forbidden error'. Have dug around a bit, I found the auth.conf file. Made a slight tweak as follows: -bash-4.1$ git diff templates/auth.conf.erb diff --git a/templates/auth.conf.erb b/templates/auth.conf.erb index 04ef5c6..f064584 100644 --- a/templates/auth.conf.erb +++ b/templates/auth.conf.erb @@ -104,3 +104,4 @@ allow %= puppetmaster rescue fqdn % # of showing the default policy, which is deny everything else path / auth any +allow * Restarted Apache, and Puppet agent sprang into Life... So looking at the file, it's the default Puppet auth.conf file, so the question becomes - Should the above additional line be required? Or is it masking something else? It shouldn't be required - I think your suspicion that it's masking something is correct. The last line in the default auth.conf is a deny all, so you're changing this to an allow all, giving access to any catalog or file to any client. Do you have any indication on the client as to what request failed? i.e. was it the catalog request, or pluginsync etc. You can try correlating the error to Apache's access log to verify the URL it's trying to access on the puppetmaster. If you're using the Foreman modules, you shouldn't have this issue, but you should have some RequestHeader lines in the puppetmaster vhost that set client certificate details and SSLCACertificateFile + SSLVerifyClient to enable verification. It could be that the client cert isn't getting verified by mod_ssl and so the puppetmaster can't use the client's identity to permit access to URLs. -- Dominic Cleal Red Hat Engineering -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet with Passenger - 403 Forbidden
Hmmm, v.strange... I've just reverted the auth.conf change, and it appears to be working as expected... :s So sounds like there was another issue at play... Will see if I can replicate it... Cheers Gavin On Tuesday, 12 March 2013 09:26:15 UTC, Dominic Cleal wrote: On 12/03/13 09:09, Gavin Williams wrote: Morning all Am in the process of testing a migration of Puppet 3 from webrick to Puppet. Have found the foreman modules (https://github.com/theforeman) which seems to take care of a lot of the leg-work... However having got Puppet running with Passenger in Apache, whenever trying to access the Puppet master from a client, I was getting a '403 Forbidden error'. Have dug around a bit, I found the auth.conf file. Made a slight tweak as follows: -bash-4.1$ git diff templates/auth.conf.erb diff --git a/templates/auth.conf.erb b/templates/auth.conf.erb index 04ef5c6..f064584 100644 --- a/templates/auth.conf.erb +++ b/templates/auth.conf.erb @@ -104,3 +104,4 @@ allow %= puppetmaster rescue fqdn % # of showing the default policy, which is deny everything else path / auth any +allow * Restarted Apache, and Puppet agent sprang into Life... So looking at the file, it's the default Puppet auth.conf file, so the question becomes - Should the above additional line be required? Or is it masking something else? It shouldn't be required - I think your suspicion that it's masking something is correct. The last line in the default auth.conf is a deny all, so you're changing this to an allow all, giving access to any catalog or file to any client. Do you have any indication on the client as to what request failed? i.e. was it the catalog request, or pluginsync etc. You can try correlating the error to Apache's access log to verify the URL it's trying to access on the puppetmaster. If you're using the Foreman modules, you shouldn't have this issue, but you should have some RequestHeader lines in the puppetmaster vhost that set client certificate details and SSLCACertificateFile + SSLVerifyClient to enable verification. It could be that the client cert isn't getting verified by mod_ssl and so the puppetmaster can't use the client's identity to permit access to URLs. -- Dominic Cleal Red Hat Engineering -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet with Passenger - 403 Forbidden errors???
Hi, what does apache commit to the error log when an agent tries to connect? Thanks, Felix On 02/12/2013 10:22 PM, Gavin Williams wrote: Hi all I'm trying to migrate our existing Puppet env from WeBrick to Passenger with Apache. I followed the following tutorials http://wiki.unixcraft.com/display/MainPage/Puppet+3.0+Installation+on+Centos+6.3 http://aricgardner.com/deployment/puppet-2/puppet-master-on-centos-5-7-with-passenger-and-foreman/ However whenever I try and communicate with the puppet master, I'm getting a 403 forbidden error. ENC Classifier: $ ./node.rb puppet-test.card.co.uk Error retrieving node puppet-test.card.co.uk: Net::HTTPForbidden Puppet Agent: $ sudo puppet agent -t Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /node/puppet-os.card.co.uk [find] at :99 Info: Retrieving plugin Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /file_metadata/plugins [search] at :99 Error: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /file_metadata/plugins [find] at :99 Could not retrieve file metadata for puppet://puppet.card.co.uk/plugins: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /file_metadata/plugins [find] at :99 Info: Loading facts in /etc/puppet/modules/puppet/lib/facter/etckepper_puppet.rb Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/puppet_vardir.rb Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/root_home.rb Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/facter_dot_d.rb Info: Loading facts in /etc/puppet/modules/concat/lib/facter/concat_basedir.rb Info: Loading facts in /etc/puppet/modules/act/lib/facter/oracle_sids.rb Info: Loading facts in /etc/puppet/modules/act/lib/facter/smo_version.rb Info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb Info: Loading facts in /var/lib/puppet/lib/facter/oracle_sids.rb Info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb Info: Loading facts in /var/lib/puppet/lib/facter/iptables.rb Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb Info: Loading facts in /var/lib/puppet/lib/facter/smo_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/etckepper_puppet.rb Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /catalog/puppet-os.card.co.uk [find] at :99 Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /report/puppet-os.card.co.uk [save] at :99 Any ideas on what could be the cause? I've checked file permissions etc, and from what I can gather they are correct. Cheers in advance for any responses. Regards Gavin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet with Passenger - 403 Forbidden errors???
There was/is nothing in the error_log... Cheers Gav On 14 February 2013 12:20, Felix Frank felix.fr...@alumni.tu-berlin.dewrote: Hi, what does apache commit to the error log when an agent tries to connect? Thanks, Felix On 02/12/2013 10:22 PM, Gavin Williams wrote: Hi all I'm trying to migrate our existing Puppet env from WeBrick to Passenger with Apache. I followed the following tutorials http://wiki.unixcraft.com/display/MainPage/Puppet+3.0+Installation+on+Centos+6.3 http://aricgardner.com/deployment/puppet-2/puppet-master-on-centos-5-7-with-passenger-and-foreman/ However whenever I try and communicate with the puppet master, I'm getting a 403 forbidden error. ENC Classifier: $ ./node.rb puppet-test.card.co.uk Error retrieving node puppet-test.card.co.uk: Net::HTTPForbidden Puppet Agent: $ sudo puppet agent -t Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /node/puppet-os.card.co.uk [find] at :99 Info: Retrieving plugin Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /file_metadata/plugins [search] at :99 Error: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /file_metadata/plugins [find] at :99 Could not retrieve file metadata for puppet://puppet.card.co.uk/plugins: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /file_metadata/plugins [find] at :99 Info: Loading facts in /etc/puppet/modules/puppet/lib/facter/etckepper_puppet.rb Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/puppet_vardir.rb Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/root_home.rb Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/facter_dot_d.rb Info: Loading facts in /etc/puppet/modules/concat/lib/facter/concat_basedir.rb Info: Loading facts in /etc/puppet/modules/act/lib/facter/oracle_sids.rb Info: Loading facts in /etc/puppet/modules/act/lib/facter/smo_version.rb Info: Loading facts in /etc/puppet/modules/firewall/lib/facter/iptables.rb Info: Loading facts in /var/lib/puppet/lib/facter/oracle_sids.rb Info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb Info: Loading facts in /var/lib/puppet/lib/facter/iptables.rb Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb Info: Loading facts in /var/lib/puppet/lib/facter/smo_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/etckepper_puppet.rb Error: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /catalog/puppet-os.card.co.uk [find] at :99 Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: Error 403 on SERVER: Forbidden request: puppet-os.card.co.uk(192.168.150.118) access to /report/puppet-os.card.co.uk [save] at :99 Any ideas on what could be the cause? I've checked file permissions etc, and from what I can gather they are correct. Cheers in advance for any responses. Regards Gavin -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Puppet with Passenger - 403 Forbidden errors???
Okay then, how about puppet's master log and masterhttpd log? On 02/14/2013 01:41 PM, fatmcgav wrote: There was/is nothing in the error_log... Cheers Gav -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.