On 12/03/13 09:09, Gavin Williams wrote: > Morning all > > Am in the process of testing a migration of Puppet 3 from webrick to > Puppet. > > Have found the foreman modules (https://github.com/theforeman) which > seems to take care of a lot of the leg-work... > However having got Puppet running with Passenger in Apache, whenever > trying to access the Puppet master from a client, I was getting a '403 > Forbidden error'. > > Have dug around a bit, I found the auth.conf file. Made a slight tweak > as follows: > -bash-4.1$ git diff templates/auth.conf.erb > diff --git a/templates/auth.conf.erb b/templates/auth.conf.erb > index 04ef5c6..f064584 100644 > --- a/templates/auth.conf.erb > +++ b/templates/auth.conf.erb > @@ -104,3 +104,4 @@ allow <%= puppetmaster rescue fqdn %> > # of showing the default policy, which is deny everything else > path / > auth any > +allow * > > Restarted Apache, and Puppet agent sprang into Life... > > So looking at the file, it's the default Puppet auth.conf file, so the > question becomes - Should the above additional line be required? Or is > it masking something else?
It shouldn't be required - I think your suspicion that it's masking something is correct. The last line in the default auth.conf is a deny all, so you're changing this to an allow all, giving access to any catalog or file to any client. Do you have any indication on the client as to what request failed? i.e. was it the catalog request, or pluginsync etc. You can try correlating the error to Apache's access log to verify the URL it's trying to access on the puppetmaster. If you're using the Foreman modules, you shouldn't have this issue, but you should have some RequestHeader lines in the puppetmaster vhost that set client certificate details and SSLCACertificateFile + SSLVerifyClient to enable verification. It could be that the client cert isn't getting verified by mod_ssl and so the puppetmaster can't use the client's identity to permit access to URLs. -- Dominic Cleal Red Hat Engineering -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
