I don't think there is an issue with my configuration. I believe I am running into issues with indirector.rb not finding the correct terminus for my certificate revocation list.
On Wednesday, August 8, 2012 10:21:05 AM UTC-7, kp-v wrote: > > Hey folks; > > I am having issues retrieving the catalog from my master. It seems to be > an issue with the ACLs for the /certificate_revocation_list/ca, however it > still produces an error when I set the ACLs to allow everything! I am > almost certain it has something to do with my non-default installation. > Puppet gurus please assit me. Any and all advice would be helpful. P.S. I > have not had issues with Passenger up until I changed the installation root > except excessively long (400 sec) SSL sessions for initial runs. > > I am running an agent/master configuration with passenger (CentOS 6.2). I > installed puppet from source and my file structure looks like this: > > /opt/puppet > > - /opt/puppet/etc > - /opt/puppet/etc/puppet > - /opt/puppet/usr > - /opt/puppet/usr/bin > - /opt/puppet/usr/sbin > - /opt/puppet/usr/share > - /opt/puppet/var > - /opt/puppet/var/ssl > > My master is able to receive and complete the certificate handshake > process. On an agent, after having received confirmation that the > handshake completed, it attempts to find /certificate_revocation_list/ca > but fails. It produces this error (full trace): > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:56:in `deserialize' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find' > /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:230:in `ssl_store' > /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in `cert_setup' > /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:98:in > `http_instance' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:71:in `network' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find' > /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:240:in > `retrieve_new_catalog' > /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:403:in `thinmark' > /usr/lib/ruby/1.8/benchmark.rb:308:in `realtime' > /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:402:in `thinmark' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:239:in > `retrieve_new_catalog' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:86:in `retrieve_catalog' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:111:in > `retrieve_and_apply_catalog' > /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:150:in `run' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' > /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' > /usr/lib/ruby/1.8/sync.rb:230:in `synchronize' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:103:in `with_client' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `call' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `controlled_run' > /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run' > /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime' > /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in `run_command' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:420:in `hook' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:411:in `exit_on_fail' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run' > /usr/sbin/puppetd:4 > err: Could not retrieve catalog from remote server: Error 403 on SERVER: > Forbidden request: hostname.fqdn.int (NNN.NNN.NNN.NNN) access to > /certificate_revocation_list/ca [find] at line 0 > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > The syslog on the master produces this error: > Aug 8 10:10:16 eng-puppet-vm2 puppet-master[15352]: Forbidden request: > hostname.fqdn.int (NNN.NNN.NNN.NNN) access to > /certificate_revocation_list/ca [find] at line 0 > > Here is a look at my configurations: > auth.conf > > path /facts > method find,search > auth yes > allow hostname.fqdn.int > > path ~ ^/catalog/([^/]+)$ > method find > allow $1 > > path /certificate_revocation_list/ca > method find > allow * > > path /report > method save > allow *.fqdn.int > allow NNN.NNN.NNN.NNN/16 > > path /file > allow * > > path /certificate/ca > auth no > method find > allow * > > path /certificate/ > auth no > method find > allow * > > path /certificate_request > auth no > method find, save > allow * > > path / > auth any > > > puppet.conf > > [main] > server = hostname.fqdn.int > logdir = /var/log/puppet > puppetdlog = /var/log/puppet/puppet.log > rundir = /var/run/puppet > #ssldir = $vardir/ssl:/etc/puppet/ssl > modulepath = /opt/puppet/etc/puppet/modules:/usr/share/puppet/modules > runinterval=900 > [master] > ssldir = /opt/puppet/var/ssl > facts_terminus = yaml > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > [agent] > classfile = $vardir/classes.txt > clientbucketdir = $vardir/client_bucket > clientyamldir = $vardir/client_yaml > ssldir = $vardir/ssl > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/d9LhpFCkPvoJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
