Issue #2828 has been updated by Christian Hofstaedtler.
Can you please try with the patch from http://groups.google.com/group/puppet-dev/msg/b15e1c93bbc70fdb? (only need to apply this on the server). To clarify: you're saying that only _new_ clients do not work, clients with an existing certificate work? ---------------------------------------- Bug #2828: Passenger problem connecting new puppet client to new puppetmaster http://projects.reductivelabs.com/issues/2828 Author: Pete Emerson Status: Investigating Priority: Normal Assigned to: Christian Hofstaedtler Category: passenger Target version: Affected version: 0.25.1 Keywords: Branch: I think this issue may be similar to Bug #2617 and #2619. However, #2619 is marked as a duplicate of #2617, but #2617 has been addressed in 0.25.1 (which is where I see the problem), and bug #2617 says that it does not affect a fresh puppetmaster install, whereas my bug does. When run on the puppetmaster node, puppet runs fine as a client of itself. When run on a new puppet client node using webrick for the puppetmaster, puppet runs fine. When I run on a new puppet client node using webrick for the puppetmaster, and then switch over to passenger, puppet runs fine. When run on a new puppetclient node using passenger, puppet does not run, and it produces the following error (complete logs below): <pre> err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: 01.test.dev.nym1(ip.address.is.here) access to /certificate_revocation_list/ca [find] at line 93 </pre> Versions: CentOS release 5.4 ruby 1.8.5 (2006-08-25) [x86_64-linux] puppet-server-0.25.1-0.2.rc2.el5 puppet-0.25.1-0.2.rc2.el5 fastthread (1.0.7) passenger (2.2.5) rack (1.0.1) rake (0.8.7) Puppet client logs: <pre> [[email protected] ~]$ ssh [email protected] '/usr/sbin/puppetd --server=01.puppetmaster.dev.nym1 --test --report --trace --verbose --debug --ignorecache' debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: Failed to load library 'ldap' for feature 'ldap' debug: /File[/var/lib/puppet/ssl/private_keys/01.client.dev.nym1.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/public_keys/01.client.dev.nym1.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/etc/puppet/namespaceauth.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/lib/puppet/state] debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certs/01.client.dev.nym1.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/log/puppet/http.log]: Autorequiring File[/var/log/puppet] debug: /File[/var/run/puppet/puppetd.pid]: Autorequiring File[/var/run/puppet] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: Finishing transaction 23456269667260 with 0 changes debug: Using cached certificate for ca debug: Using cached certificate for 01.client.dev.nym1 debug: Using cached certificate for ca debug: Using cached certificate for 01.client.dev.nym1 /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:55:in `deserialize' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:198:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:227:in `ssl_store' /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in `cert_setup' /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:100:in `http_instance' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in `network' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:198:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:94:in `retrieve_catalog' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark' /usr/lib/ruby/1.8/benchmark.rb:293:in `measure' /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime' /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:416:in `thinmark' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:93:in `retrieve_catalog' /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:140:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/1.8/sync.rb:229:in `synchronize' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:130:in `with_client' /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in `onetime' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in `exit_on_fail' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run' /usr/sbin/puppetd:159 err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: 01.client.dev.nym1(ip.address.is.here) access to /certificate_revocation_list/ca [find] at line 0 warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run </pre> Puppet server logs: <pre> Nov 17 21:15:59 (mount[files]) allowing * access Nov 17 21:15:59 Starting Puppet server version 0.25.1 Nov 17 21:15:59 Inserting default '~ ^/catalog/([^/]+)$'(auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/file'(non-auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/certificate_revocation_list/ca'(auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/report'(auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/certificate/ca'(non-auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/certificate/'(non-auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:15:59 Inserting default '/certificate_request'(non-auth) acl because /etc/puppet/auth.conf doesn't exist Nov 17 21:16:00 01.client.dev.nym1 has a waiting certificate request Nov 17 21:16:04 (access[/]) defaulting to no access for 01.client.dev.nym1 Nov 17 21:16:04 Denying access: Forbidden request: 01.client.dev.nym1(ip.address.is.here) access to /certificate_revocation_list/ca [find] at line 0 Nov 17 21:16:04 Forbidden request: 01.client.dev.nym1(ip.address.is.here) access to /certificate_revocation_list/ca [find] at line 0 </pre> Here is my auth.conf (taken from git and only modified to address Bug #2620), and removing this file has made no difference: <pre> path ~ ^/catalog/([^/]+)$ method find allow * path /certificate_revocation_list/ca method find allow * path /report method save allow * path /file allow * path /certificate/ca auth no method find allow * path /certificate/ auth no method find allow * path /certificate_request auth no method find, save allow * path / auth any </pre> Here is my config.ru: <pre> $0 = "puppetmasterd" require 'puppet' ARGV << "--trace" ARGV << "--debug" ARGV << "--verbose" ARGV << "--rack" require 'puppet/application/puppetmasterd' run Puppet::Application[:puppetmasterd].run </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=.
