Authorization is handled by auth.conf, you should look at this file. The
default syntax which handles this is something like so:
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
On May 8, 2012, at 6:55 PM, Josh wrote:
> I continually get error messages about denied requests and can't figure out
> why...starting to get really frustrated. AFAICT, the SSL stuff doesn't
> actually work, which makes me think I have something configured incorrectly.
> This is my first attempt with Passenger. I've previously used Puppet (0.24)
> with Mongrel and that worked well, I figured I would see how Passenger
> worked. Seems a lot harder to get going so far.
>
> I can see a signing request, I sign it, seems to work, but the agent never
> attempts again. If I manually restart the agent I start getting 403s. If I
> wipe out the SSL files and restart, the same thing happens: start agent, get
> request, sign, restart agent, 403, rinse and repeat. It worked as [user] but
> when I changed it to [agent], everything broke, even with the same
> certificates. These are the errors I see:
>
> May 8 21:36:06 puppet puppet-master[11776]: Denying access: Forbidden
> request: backup1(192.168.3.9) access to /catalog/backup1.int.domain.com
> [find] at line 98
> May 8 21:36:06 puppet puppet-master[11776]: Forbidden request:
> backup1(192.168.3.9) access to /catalog/backup1.int.domain.com [find] at line
> 98
>
> I also had plugin errors and report errors but I turned those options off. I
> created the master cert with dns_alt_name=puppet, and I see the extension in
> the cert ONLY for the master's FQDN cert file, the CA cert file doesn't have
> an alt name (ssl/certs/ca.pem). Neither does ssl/ca/ca_crt.pem. Is this
> correct? Does the client also need an alt name in its cert?
>
> This, believe it or not, is the default puppet.conf I got on FreeBSD (with
> comments/whitespace removed, [user] changed to [agent], and my domain
> replaced):
>
> [agent]
> tagmap = /usr/local/etc/puppet/tagmail.conf
> lastrunreport = /var/puppet/state/last_run_report.yaml
> server = puppet.int.domain.com
> clientyamldir = /var/puppet/client_yaml
> clientbucketdir = /var/puppet/clientbucket
> puppetdlog = /var/puppet/log/puppetd.log
> report_server = puppet
> runinterval = 10
> inventory_port = 8140
> classfile = /var/puppet/state/classes.txt
> ca_port = 8140
> puppetdlockfile = /var/puppet/state/puppetdlock
> report = false
> localconfig = /var/puppet/state/localconfig
> splaylimit = 1800
> client_datadir = /var/puppet/client_data
> report_port = 8140
> lastrunfile = /var/puppet/state/last_run_summary.yaml
> graphdir = /var/puppet/state/graphs
> statefile = /var/puppet/state/state.yaml
> resourcefile = /var/puppet/state/resources.txt
> reportserver = puppet
> inventory_server = puppet
> ca_name = Puppet CA: jail-5.isc.freebsd.org
> cakey = /var/puppet/ssl/ca/ca_key.pem
> caprivatedir = /var/puppet/ssl/ca/private
> capass = /var/puppet/ssl/ca/private/ca.pass
> cert_inventory = /var/puppet/ssl/ca/inventory.txt
> cadir = /var/puppet/ssl/ca
> capub = /var/puppet/ssl/ca/ca_pub.pem
> csrdir = /var/puppet/ssl/ca/requests
> serial = /var/puppet/ssl/ca/serial
> cacert = /var/puppet/ssl/ca/ca_crt.pem
> cacrl = /var/puppet/ssl/ca/ca_crl.pem
> signeddir = /var/puppet/ssl/ca/signed
> autosign = /usr/local/etc/puppet/autosign.conf
> masterlog = /var/puppet/log/puppetmaster.log
> modulepath = /usr/local/etc/puppet/modules:/usr/share/puppet/modules
> ssl_client_header = SSL_CLIENT_S_DN
> server_datadir = /var/puppet/server_data
> masterhttplog = /var/puppet/log/masterhttp.log
> bucketdir = /var/puppet/bucket
> ssl_client_verify_header = SSL_CLIENT_VERIFY
> fileserverconfig = /usr/local/etc/puppet/fileserver.conf
> manifestdir = /usr/local/etc/puppet/manifests
> manifest = /usr/local/etc/puppet/manifests/site.pp
> rest_authconfig = /usr/local/etc/puppet/auth.conf
> yamldir = /var/puppet/yaml
> reportdir = /var/puppet/reports
> inventory_terminus = facter
> plugindest = /var/puppet/lib
> privatekeydir = /var/puppet/ssl/private_keys
> hostcsr = /var/puppet/ssl/csr_jail-5.isc.freebsd.org.pem
> factsource = puppet://puppet/facts/
> hostpubkey = /var/puppet/ssl/public_keys/jail-5.isc.freebsd.org.pem
> authconfig = /usr/local/etc/puppet/namespaceauth.conf
> logdir = /var/puppet/log
> httplog = /var/puppet/log/http.log
> publickeydir = /var/puppet/ssl/public_keys
> pluginsource = puppet://puppet/plugins
> privatedir = /var/puppet/ssl/private
> factpath = /var/puppet/lib/facter:/var/puppet/facts
> hostcert = /var/puppet/ssl/certs/jail-5.isc.freebsd.org.pem
> localcacert = /var/puppet/ssl/certs/ca.pem
> certdir = /var/puppet/ssl/certs
> libdir = /var/puppet/lib
> requestdir = /var/puppet/ssl/certificate_requests
> pluginsync = false
> route_file = /usr/local/etc/puppet/routes.yaml
> passfile = /var/puppet/ssl/private/password
> hostprivkey = /var/puppet/ssl/private_keys/jail-5.isc.freebsd.org.pem
> statedir = /var/puppet/state
> hostcrl = /var/puppet/ssl/crl.pem
> bindaddress = 0.0.0.0
> config = /usr/local/etc/puppet/puppet.conf
> pidfile = /var/run/puppet/agent.pid
> rrdinterval = 1800
> rrddir = /var/puppet/rrd
> dblocation = /var/puppet/state/clientconfigs.sqlite3
> railslog = /var/puppet/log/rails.log
> deviceconfig = /usr/local/etc/puppet/device.conf
> devicedir = /var/puppet/devices
> templatedir = /var/puppet/templates
> archive_file_server = puppet
>
> There is no auth.conf on the client.
>
> This is the puppet.conf on the master, also default and sanitized. There is
> not and never was a [master] section:
>
> [agent]
> tagmap = /usr/local/etc/puppet/tagmail.conf
> ca_server = puppet
> lastrunreport = /var/puppet/state/last_run_report.yaml
> clientyamldir = /var/puppet/client_yaml
> clientbucketdir = /var/puppet/clientbucket
> puppetdlog = /var/puppet/log/puppetd.log
> report_server = puppet
> inventory_port = 8140
> classfile = /var/puppet/state/classes.txt
> ca_port = 8140
> puppetdlockfile = /var/puppet/state/puppetdlock
> localconfig = /var/puppet/state/localconfig
> splaylimit = 1800
> client_datadir = /var/puppet/client_data
> report_port = 8140
> lastrunfile = /var/puppet/state/last_run_summary.yaml
> graphdir = /var/puppet/state/graphs
> statefile = /var/puppet/state/state.yaml
> resourcefile = /var/puppet/state/resources.txt
> reportserver = puppet
> node_name_value = jail-5.isc.freebsd.org
> inventory_server = puppet
> ca_name = Puppet CA: jail-5.isc.freebsd.org
> cakey = /var/puppet/ssl/ca/ca_key.pem
> caprivatedir = /var/puppet/ssl/ca/private
> capass = /var/puppet/ssl/ca/private/ca.pass
> cert_inventory = /var/puppet/ssl/ca/inventory.txt
> cadir = /var/puppet/ssl/ca
> capub = /var/puppet/ssl/ca/ca_pub.pem
> csrdir = /var/puppet/ssl/ca/requests
> serial = /var/puppet/ssl/ca/serial
> cacert = /var/puppet/ssl/ca/ca_crt.pem
> cacrl = /var/puppet/ssl/ca/ca_crl.pem
> signeddir = /var/puppet/ssl/ca/signed
> autosign = /usr/local/etc/puppet/autosign.conf
> masterlog = /var/puppet/log/puppetmaster.log
> modulepath = /usr/local/etc/puppet/modules:/usr/share/puppet/modules
> ssl_client_header = SSL_CLIENT_S_DN
> server_datadir = /var/puppet/server_data
> masterhttplog = /var/puppet/log/masterhttp.log
> bucketdir = /var/puppet/bucket
> ssl_client_verify_header = SSL_CLIENT_VERIFY
> fileserverconfig = /usr/local/etc/puppet/fileserver.conf
> manifestdir = /usr/local/etc/puppet/manifests
> manifest = /usr/local/etc/puppet/manifests/site.pp
> rest_authconfig = /usr/local/etc/puppet/auth.conf
> yamldir = /var/puppet/yaml
> reportdir = /var/puppet/reports
> inventory_terminus = facter
> plugindest = /var/puppet/lib
> privatekeydir = /var/puppet/ssl/private_keys
> hostcsr = /var/puppet/ssl/csr_jail-5.isc.freebsd.org.pem
> factsource = puppet://puppet/facts/
> hostpubkey = /var/puppet/ssl/public_keys/jail-5.isc.freebsd.org.pem
> authconfig = /usr/local/etc/puppet/namespaceauth.conf
> dns_alt_names = puppet
> logdir = /var/puppet/log
> httplog = /var/puppet/log/http.log
> publickeydir = /var/puppet/ssl/public_keys
> pluginsource = puppet://puppet/plugins
> privatedir = /var/puppet/ssl/private
> factpath = /var/puppet/lib/facter:/var/puppet/facts
> hostcert = /var/puppet/ssl/certs/jail-5.isc.freebsd.org.pem
> localcacert = /var/puppet/ssl/certs/ca.pem
> certdir = /var/puppet/ssl/certs
> libdir = /var/puppet/lib
> requestdir = /var/puppet/ssl/certificate_requests
> pluginsync = false
> route_file = /usr/local/etc/puppet/routes.yaml
> passfile = /var/puppet/ssl/private/password
> hostprivkey = /var/puppet/ssl/private_keys/jail-5.isc.freebsd.org.pem
> statedir = /var/puppet/state
> hostcrl = /var/puppet/ssl/crl.pem
> bindaddress = 0.0.0.0
> config = /usr/local/etc/puppet/puppet.conf
> pidfile = /var/run/puppet/apply.pid
> rrdinterval = 1800
> rrddir = /var/puppet/rrd
> dblocation = /var/puppet/state/clientconfigs.sqlite3
> railslog = /var/puppet/log/rails.log
> deviceconfig = /usr/local/etc/puppet/device.conf
> devicedir = /var/puppet/devices
> templatedir = /var/puppet/templates
> archive_file_server = puppet
>
> This is my auth.conf on the master, copied from -dist (there was none
> initially):
>
> path ~ ^/catalog/([^/]+)$
> method find
> allow $1
> path ~ ^/node/([^/]+)$
> method find
> allow $1
> path /certificate_revocation_list/ca
> method find
> allow *
> path /report
> method save
> allow *
> path /file
> allow *
> path /certificate/ca
> auth no
> method find
> allow *
> path /certificate/
> auth no
> method find
> allow *
> path /certificate_request
> auth no
> method find, save
> allow *
> path /
> auth any
>
> This is my Apache config on the master:
>
> PassengerHighPerformance on
> PassengerMaxPoolSize 12
> PassengerPoolIdleTime 1500
> PassengerStatThrottleRate 120
> RackAutoDetect Off
> RailsAutoDetect Off
> Listen 8140
> <VirtualHost *:8140>
> SSLEngine on
> SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
> SSLCertificateFile /var/puppet/ssl/certs/puppet.int.domain.com.pem
> SSLCertificateKeyFile
> /var/puppet/ssl/private_keys/puppet.int.domain.com.pem
> SSLCertificateChainFile /var/puppet/ssl/ca/ca_crt.pem
> SSLCACertificateFile /var/puppet/ssl/ca/ca_crt.pem
> SSLVerifyClient optional
> SSLVerifyDepth 1
> SSLOptions +StdEnvVars
> RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
> RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
> DocumentRoot /usr/local/etc/puppet/rack/public/
> RackBaseURI /
> <Directory /local/etc/puppet/rack/>
> Options None
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
> </VirtualHost>
>
> Does anything stand out?
>
> THanks,
> Josh
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/LQZ6QHiiiT8J.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
