Thanks a lot Jeff!!! In puppet.conf, after changing from:
ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY To: ssl_client_verify_header = HTTP_X_CLIENT_VERIFY ssl_client_header = HTTP_X_CLIENT_DN Things are working fine. I am not sure why this is the case, as in this URL at http://projects.puppetlabs.com/projects/puppet/wiki/Using_Passenger, it mentions that if using passenger, we need to set the headers as: ssl_client_header = SSL_CLIENT_S_DN ssl_client_verify_header = SSL_CLIENT_VERIFY Maybe in this case using mod_proxy, it needs to be different? Thanks, Hai On Wed, Mar 14, 2012 at 2:02 PM, Jeff McCune <[email protected]> wrote: > > On Tue, Mar 13, 2012 at 10:30 PM, hai wu <[email protected]> wrote: > > I am following steps in 'Pro Puppet' book to setup load balancing for > > puppetmaster. I am using passenger 3.0.11.9, ruby 1.8.7, puppet 2.7.12. > > While things were fine when it is single node configuration, after following > > the steps from 'Pro puppet' book, I got the following error when running > > puppet agent -t: > > > > err: /File[/var/lib/puppet/lib]: Failed to generate additional resources > > using 'eval_generate: Error 403 on SERVER: Forbidden request: > > client_hostname(client_ip_address) access to /certificate_revocation_list/ca > > [find] at line 99 > > err: /File[/var/lib/puppet/lib]: Could not evaluate: Error 403 on SERVER: > > Forbidden request: client_hostname(client_ip_address) access to > > /file_metadata/plugins [find] at line 99 Could not retrieve file metadata > > for puppet://puppetmaster_fqdn/plugins: Error 403 on SERVER: Forbidden > > request: client_hostname(client_ip_address) access to > > /file_metadata/plugins [find] at line 99 > > Hello, > > This error is almost always a certificate trust issue. I suggest > verifying the CA certificate used by your load balancer to verify > client certificates is the same certificate used to sign the client > certificates. I also recommend making sure the load balancer is > properly setting the HTTP request headers that the back end Puppet > masters are expecting. > > These headers are configurable using these two configuration settings > on each master: > > # The header containing the status > # message of the client verification. Only used with Mongrel. > This header must be set by the proxy > # to 'SUCCESS' if the client successfully authenticated, and > anything else otherwise. > # See http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel > for more information. > # The default value is 'HTTP_X_CLIENT_VERIFY'. > ssl_client_verify_header = HTTP_X_CLIENT_VERIFY > > # The header containing an authenticated > # client's SSL DN. Only used with Mongrel. This header must be > set by the proxy > # to the authenticated client's SSL DN (e.g., `/CN=puppet.puppetlabs.com`). > # See http://projects.puppetlabs.com/projects/puppet/wiki/Using_Mongrel > for more information. > # The default value is 'HTTP_X_CLIENT_DN'. > ssl_client_header = HTTP_X_CLIENT_DN > > Hope this helps, > > -Jeff > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
