I am trying to setup Puppet + Passenger with Apache.
After initially setting it up, on the client I was getting 403 errors
when trying to access /catalog, /plugins, etc. Pretty much anything
that my client tried to access I received a 403 error.
I then looked in the /var/log/messages file and found the following:
Sep 10 16:27:25 ls1314p puppet-master[26378]: Creating a new SSL key
for
ls1314p.encana.com
Sep 10 16:27:25 ls1314p puppet-master[26378]: Creating a new SSL
certificate request for ls1314p.encana.com
Sep 10 16:27:25 ls1314p puppet-master[26378]: Starting Puppet server
version 0.25.5
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default '~
^/catalog/([^/]+)$'(auth) acl because /var/lib/puppet/.puppet/
auth.conf
doesn't exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
'/file'(non-auth) acl because /var/lib/puppet/.puppet/auth.conf
doesn't
exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
'/certificate_revocation_list/ca'(auth) acl because
/var/lib/puppet/.puppet/auth.conf doesn't exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
'/report'(auth) acl because /var/lib/puppet/.puppet/auth.conf doesn't
exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
'/certificate/ca'(non-auth) acl because
/var/lib/puppet/.puppet/auth.conf doesn't exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
'/certificate/'(non-auth) acl because /var/lib/puppet/.puppet/
auth.conf
doesn't exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: Inserting default
'/certificate_request'(non-auth) acl because
/var/lib/puppet/.puppet/auth.conf doesn't exist
Sep 10 16:27:25 ls1314p puppet-master[26378]: (access[/]) defaulting
to
no access for lv1779p.encana.com
Sep 10 16:27:25 ls1314p puppet-master[26378]: Denying access:
Forbidden
request: lv1779p.encana.com(10.56.32.105) access to
/catalog/lv1779p.encana.com [find] at line 0
Sep 10 16:27:25 ls1314p puppet-master[26378]: Forbidden request:
lv1779p.encana.com(10.56.32.105) access to /catalog/lv1779p.encana.com
[find] at line 0
As you can see, it seems to be looking for the auth.conf file in /var/
lib/puppet/.puppet. As a quick work around I created the /var/lib/
puppet/.puppet/auth.conf file but it just lead to more issues.
Not sure why it is thinking the (I believe auth.conf is in the
confdir) is /var/lib/puppet/.puppet.
Here is my puppet.conf on puppetmaster.
main]
# The Puppet log directory
# The default value is '$vardir/log'.
logdir = /var/log/puppet
# Where the Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet
# Where the SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl
confdir = /puppet/development
#external_nodes = /usr/bin/cobbler-ext-nodes
#node_terminus = exec
[puppetd]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuration. Can be loaded
in
# the seperate ``puppet`` executable using the ``--
loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added
automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
[puppetmasterd]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
certificate_revocation = false
Here is my config.ru which is owned by puppet
# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.
# if puppet is not in your RUBYLIB;
# $:.unshift('/opt/puppet/lib')
$0 = "master"
# if you want debugging:
ARGV << "--debug"
ARGV << "--rack"
#require 'puppet/application/master'
require 'puppet/application/puppetmasterd'
# we're usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
#run Puppet::Application[:master].run
run Puppet::Application[:puppetmasterd].run
I am running puppet 0.25 on RHEL v5.5.
Any help would be appreciated as I have been unable to get around this
issue.
Thanks
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
