On Tue, Mar 13, 2012 at 10:30 PM, hai wu <[email protected]> wrote:
> I am following steps in 'Pro Puppet' book to setup load balancing for
> puppetmaster. I am using passenger 3.0.11.9, ruby 1.8.7, puppet 2.7.12.
> While things were fine when it is single node configuration, after following
> the steps from 'Pro puppet' book, I got the following error when running
> puppet agent -t:
>
> err: /File[/var/lib/puppet/lib]: Failed to generate additional resources
> using 'eval_generate: Error 403 on SERVER: Forbidden request:
> client_hostname(client_ip_address) access to /certificate_revocation_list/ca
> [find] at line 99
> err: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER:
> Forbidden request: client_hostname(client_ip_address) access to
> /file_metadata/plugins [find] at line 99 Could not retrieve file metadata
> for puppet://puppetmaster_fqdn/plugins: Error 403 on SERVER: Forbidden
> request: client_hostname(client_ip_address) access to
> /file_metadata/plugins [find] at line 99
Hello,
This error is almost always a certificate trust issue. I suggest
verifying the CA certificate used by your load balancer to verify
client certificates is the same certificate used to sign the client
certificates. I also recommend making sure the load balancer is
properly setting the HTTP request headers that the back end Puppet
masters are expecting.
These headers are configurable using these two configuration settings
on each master:
# The header containing the status
# message of the client verification. Only used with Mongrel.
This header must be set by the proxy
# to 'SUCCESS' if the client successfully authenticated, and
anything else otherwise.
# See http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel
for more information.
# The default value is 'HTTP_X_CLIENT_VERIFY'.
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
# The header containing an authenticated
# client's SSL DN. Only used with Mongrel. This header must be
set by the proxy
# to the authenticated client's SSL DN (e.g., `/CN=puppet.puppetlabs.com`).
# See http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel
for more information.
# The default value is 'HTTP_X_CLIENT_DN'.
ssl_client_header = HTTP_X_CLIENT_DN
Hope this helps,
-Jeff
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
