Sorry for the triple post, my work proxy was blocking the success message it seems.
On May 10, 6:37 pm, Paul Collins <[email protected]> wrote: > On May 5, 2:31 am, Andreas Kuntzagk <[email protected]> > wrote: > > > > > > > Ok, seems that I have an authentication issue here. > > when I set (for all paths) "auth no" in auth.conf, it's working again. > > Maybe I set these options wrong in the apache.conf: > > > SSLCertificateFile /etc/puppet/ssl/certs/node002.pem > > SSLCertificateKeyFile /etc/puppet/ssl/private_keys/node002.pem > > > As far as I can tell these files match. > > > regards, Andreas > > > Andreas Kuntzagk wrote: > > > Hi, > > > > Nan Liu wrote: > > >> On Wed, May 4, 2011 at 8:26 AM, Andreas Kuntzagk > > >> <[email protected]> wrote: > > >>> Hi, > > > >>> as suggested on the list I switched from the standalone puppetmaster to > > >>> Passenger. I have passenger installed now and edited the apache > > >>> config as > > >>> far as I understood. I restarted apache. > > >>> Now when I run an agent I get: > > > >>> /var/lib/gems/1.8/bin/puppet agent --server node002 --test > > >>> err: Could not retrieve catalog from remote server: Error 403 on SERVER: > > >>> Forbidden request: node039(192.168.73.39) access to /catalog/node039 > > >>> [find] > > >>> at line 0 > > >>> warning: Not using cache on failed catalog > > >>> err: Could not retrieve catalog; skipping run > > > >>> In the server log I find this: > > > >>> May 4 14:13:08 node002 puppet-master[14489]: Denying access: Forbidden > > >>> request: node039(192.168.73.39) access to /catalog/node039 [find] at > > >>> line 0 > > >>> May 4 14:13:08 node002 puppet-master[14489]: Forbidden request: > > >>> node039(192.168.73.39) access to /catalog/node039 [find] at line 0 > > > >> Not sure I can pinpoint your problem, is this all the output with > > >> debugging enabled in config.ru? > > > > No. I just enabled debugging (did not see this option before). Now I get > > > many more lines. > > > I suspect these to be the important ones: > > > > May 5 08:59:36 node002 puppet-master[16796]: (access[/]) adding > > > authentication any > > > May 5 08:59:36 node002 puppet-master[16796]: Inserting default > > > '/status'(auth) acl because none where found in '/etc/puppet/auth.conf' > > > May 5 08:59:36 node002 puppet-master[16796]: (access[/]) defaulting to > > > no access for node002 > > > > [...] > > > >> It doesn't map to a filepath. Access is controlled via auth.conf. You > > >> should have a section similar to: > > > >> # allow nodes to retrieve their own catalog (ie their configuration) > > >> path ~ ^/catalog/([^/]+)$ > > >> method find > > >> allow $1 > > > > Ok, auth.conf was missing. But I copied the gems default conf file and > > > it's still not working. > > > >> Since you should not need to change it, I'm wondering do you have the > > >> following [master] section in puppet.conf? > > >> ssl_client_header = SSL_CLIENT_S_DN > > >> ssl_client_verify_header = SSL_CLIENT_VERIFY > > > > No. There is no [master] section at all. And also in all example confs > > > there is no [master] section. Btw. this is version 2.6.4. > > > > regards, Andreas > > So in the puppet.conf I have, those ssl_client_* settings are actually > in the [user] section. I'm not 100% sure if that's correct but I'm > running 2.6.8 on mine and that appears to be one of the magic bits > needed. > Also in your apache config, add > > # The following client headers allow the same configuration to work > with Pound. > RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e > > That seems to be the other bit that actually passes the authentication > down the chain to puppet. > > -Paul -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
