I was pretty close with my first guess, but I might have figured it out. I have not resolved the issue, however I am certain of the issue at hand. In 2.6.16, puppet only searches for the auth.conf file at /etc/puppet/auth.conf and this path appears to be hardcoded. Therefore, because puppet cannot find the auth.conf file, it denies access to everything (all four indirector verbs) within the / (puppet) directory. I have yet to try symlinking the file to /etc/puppet/auth.conf to attempt to fix, however this defeats the purpose of installing in /opt. I doubt that this is a bug because I followed a non-standard installation process. I will post again if I figure out how to patch it.
On Thursday, August 9, 2012 11:24:52 AM UTC-7, kp-v wrote: > > I don't think there is an issue with my configuration. I believe I am > running into issues with indirector.rb not finding the correct terminus for > my certificate revocation list. > > On Wednesday, August 8, 2012 10:21:05 AM UTC-7, kp-v wrote: >> >> Hey folks; >> >> I am having issues retrieving the catalog from my master. It seems to be >> an issue with the ACLs for the /certificate_revocation_list/ca, however it >> still produces an error when I set the ACLs to allow everything! I am >> almost certain it has something to do with my non-default installation. >> Puppet gurus please assit me. Any and all advice would be helpful. P.S. I >> have not had issues with Passenger up until I changed the installation root >> except excessively long (400 sec) SSL sessions for initial runs. >> >> I am running an agent/master configuration with passenger (CentOS 6.2). I >> installed puppet from source and my file structure looks like this: >> >> /opt/puppet >> >> - /opt/puppet/etc >> - /opt/puppet/etc/puppet >> - /opt/puppet/usr >> - /opt/puppet/usr/bin >> - /opt/puppet/usr/sbin >> - /opt/puppet/usr/share >> - /opt/puppet/var >> - /opt/puppet/var/ssl >> >> My master is able to receive and complete the certificate handshake >> process. On an agent, after having received confirmation that the >> handshake completed, it attempts to find /certificate_revocation_list/ca >> but fails. It produces this error (full trace): >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:56:in >> `deserialize' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find' >> /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:230:in `ssl_store' >> /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in `cert_setup' >> /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:98:in >> `http_instance' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:71:in `network' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find' >> /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find' >> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:240:in >> `retrieve_new_catalog' >> /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:403:in `thinmark' >> /usr/lib/ruby/1.8/benchmark.rb:308:in `realtime' >> /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:402:in `thinmark' >> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:239:in >> `retrieve_new_catalog' >> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:86:in `retrieve_catalog' >> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:111:in >> `retrieve_and_apply_catalog' >> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:150:in `run' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' >> /usr/lib/ruby/1.8/sync.rb:230:in `synchronize' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:103:in `with_client' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `call' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `controlled_run' >> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run' >> /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime' >> /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in >> `run_command' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:420:in `hook' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:411:in `exit_on_fail' >> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run' >> /usr/sbin/puppetd:4 >> err: Could not retrieve catalog from remote server: Error 403 on SERVER: >> Forbidden request: hostname.fqdn.int (NNN.NNN.NNN.NNN) access to >> /certificate_revocation_list/ca [find] at line 0 >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> >> The syslog on the master produces this error: >> Aug 8 10:10:16 eng-puppet-vm2 puppet-master[15352]: Forbidden request: >> hostname.fqdn.int (NNN.NNN.NNN.NNN) access to >> /certificate_revocation_list/ca [find] at line 0 >> >> Here is a look at my configurations: >> auth.conf >> >> path /facts >> method find,search >> auth yes >> allow hostname.fqdn.int >> >> path ~ ^/catalog/([^/]+)$ >> method find >> allow $1 >> >> path /certificate_revocation_list/ca >> method find >> allow * >> >> path /report >> method save >> allow *.fqdn.int >> allow NNN.NNN.NNN.NNN/16 >> >> path /file >> allow * >> >> path /certificate/ca >> auth no >> method find >> allow * >> >> path /certificate/ >> auth no >> method find >> allow * >> >> path /certificate_request >> auth no >> method find, save >> allow * >> >> path / >> auth any >> >> >> puppet.conf >> >> [main] >> server = hostname.fqdn.int >> logdir = /var/log/puppet >> puppetdlog = /var/log/puppet/puppet.log >> rundir = /var/run/puppet >> #ssldir = $vardir/ssl:/etc/puppet/ssl >> modulepath = /opt/puppet/etc/puppet/modules:/usr/share/puppet/modules >> runinterval=900 >> [master] >> ssldir = /opt/puppet/var/ssl >> facts_terminus = yaml >> ssl_client_header = SSL_CLIENT_S_DN >> ssl_client_verify_header = SSL_CLIENT_VERIFY >> [agent] >> classfile = $vardir/classes.txt >> clientbucketdir = $vardir/client_bucket >> clientyamldir = $vardir/client_yaml >> ssldir = $vardir/ssl >> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/34_HfY2k0rkJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
