FAQ
Hello, I have been stumped by an authentication / certificate problem
and would like to know if anyone has resolved a similar issue.

My fresh install of Puppet Master 2.7.18 on Debian 6 works normally
when run standalone, using 'puppet master --verbose --no-daemonize'.

When using nginx-passenger in front of the same puppet master, puppet
fails with the authentication error: '… Forbidden request … access
to /file_metadata/plugins [find] at line 57'

This failure occurs on the same node that had successfully connected
to Puppet Master when it was run standalone.

The full log errors are here: http://pastebin.com/KH8Pyyw3

I can work-around this authentication error by appending 'allow *' for
'path /' in the puppet master's auth.conf file.

Here is the Puppet Master auth.conf file I am using: http://pastebin.com/Ju0ke3rP

I don't think this workaround is correct: the default authentication
policy should not allow access to un-authenticated nodes.

Here is my nginx.conf file: http://pastebin.com/q7HMuAZ0

Here is the config.ru configuration file: http://pastebin.com/1aCdsTJE

Does anyone see what I am doing wrong? I have already tried deleting
and recreating certificates for the agent and master.

Thank you,
Jon

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Jeff McCune at Jul 12, 2012 at 2:45 pm
    Are you sure you want to be using the passenger_set_cgi_param nginx
    directive and not proxy_set_header?

    The problem definitely seems to be Puppet not picking up the values
    that should be set in the HTTP_X_CLIENT_VERIFY and HTTP_X_CLIENT_DN
    request headers.

    -Jeff
    On Thu, Jul 12, 2012 at 7:34 AM, Jon Jaroker wrote:

    Hello, I have been stumped by an authentication / certificate problem
    and would like to know if anyone has resolved a similar issue.

    My fresh install of Puppet Master 2.7.18 on Debian 6 works normally
    when run standalone, using 'puppet master --verbose --no-daemonize'.

    When using nginx-passenger in front of the same puppet master, puppet
    fails with the authentication error: '… Forbidden request … access
    to /file_metadata/plugins [find] at line 57'

    This failure occurs on the same node that had successfully connected
    to Puppet Master when it was run standalone.

    The full log errors are here: http://pastebin.com/KH8Pyyw3

    I can work-around this authentication error by appending 'allow *' for
    'path /' in the puppet master's auth.conf file.

    Here is the Puppet Master auth.conf file I am using: http://pastebin.com/Ju0ke3rP

    I don't think this workaround is correct: the default authentication
    policy should not allow access to un-authenticated nodes.

    Here is my nginx.conf file: http://pastebin.com/q7HMuAZ0

    Here is the config.ru configuration file: http://pastebin.com/1aCdsTJE

    Does anyone see what I am doing wrong? I have already tried deleting
    and recreating certificates for the agent and master.

    Thank you,
    Jon

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jon Jaroker at Jul 12, 2012 at 3:47 pm
    Hello Jeff,

    Thank you for your reply. It pointed me in the right direction.

    Regarding 'proxy_set_header', I don't believe this directive has an
    effect on passenger. For passenger, I believe the
    'passenger_set_cgi_param' directive must be used instead.

    My mistake was using the wrong parameter. While HTTP_X_CLIENT_* will
    work for 'proxy_set_header', I think you need to use SSL_CLIENT_*
    parameters for 'passenger_set_cgi_param'.

    Here is the change in nginx.conf that solved the problem for me.

    # passenger_set_cgi_param HTTP_X_CLIENT_DN $ssl_client_s_dn;
    # passenger_set_cgi_param HTTP_X_CLIENT_VERIFY $ssl_client_verify;
    passenger_set_cgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;
    passenger_set_cgi_param SSL_CLIENT_VERIFY $ssl_client_verify;


    The puppet client is now able to connect normally.

    Regards,
    Jon
    On Jul 12, 10:44 am, Jeff McCune wrote:
    Are you sure you want to be using the passenger_set_cgi_param nginx
    directive and not proxy_set_header?

    The problem definitely seems to be Puppet not picking up the values
    that should be set in the HTTP_X_CLIENT_VERIFY and HTTP_X_CLIENT_DN
    request headers.

    -Jeff






    On Thu, Jul 12, 2012 at 7:34 AM, Jon Jaroker wrote:

    Hello, I have been stumped by an authentication / certificate problem
    and would like to know if anyone has resolved a similar issue.
    My fresh install of Puppet Master 2.7.18 on Debian 6 works normally
    when run standalone, using 'puppet master --verbose --no-daemonize'.
    When using nginx-passenger in front of the same puppet master,  puppet
    fails with the authentication error:  '… Forbidden request …  access
    to /file_metadata/plugins [find] at line 57'
    This failure occurs on the same node that had successfully connected
    to Puppet Master when it was run standalone.
    The full log errors are here:http://pastebin.com/KH8Pyyw3
    I can work-around this authentication error by appending 'allow *' for
    'path /' in the puppet master's auth.conf file.
    Here is the Puppet Master auth.conf file I am using:http://pastebin.com/Ju0ke3rP
    I don't think this workaround is correct: the default authentication
    policy should not allow access to un-authenticated nodes.
    Here is my nginx.conf file:http://pastebin.com/q7HMuAZ0
    Here is the config.ru configuration file:http://pastebin.com/1aCdsTJE
    Does anyone see what I am doing wrong?  I have already tried deleting
    and recreating certificates for the agent and master.
    Thank you,
    Jon
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • David Wooldridge at Jul 12, 2012 at 3:19 pm
    I know when I was setting this up
    (http://z0mbix.github.com/blog/2012/03/01/use-nginx-and-passenger-to-power-your-puppet-master/),
    the main gotcha I came up against was the permissions of the config.ru file
    have to be the same as your puppet user. I can't remember what error this
    caused though.

    Cheers David
    On Thursday, 12 July 2012 15:34:06 UTC+1, Jon Jaroker wrote:

    Hello, I have been stumped by an authentication / certificate problem
    and would like to know if anyone has resolved a similar issue.

    My fresh install of Puppet Master 2.7.18 on Debian 6 works normally
    when run standalone, using 'puppet master --verbose --no-daemonize'.

    When using nginx-passenger in front of the same puppet master, puppet
    fails with the authentication error: '… Forbidden request … access
    to /file_metadata/plugins [find] at line 57'

    This failure occurs on the same node that had successfully connected
    to Puppet Master when it was run standalone.

    The full log errors are here: http://pastebin.com/KH8Pyyw3

    I can work-around this authentication error by appending 'allow *' for
    'path /' in the puppet master's auth.conf file.

    Here is the Puppet Master auth.conf file I am using:
    http://pastebin.com/Ju0ke3rP

    I don't think this workaround is correct: the default authentication
    policy should not allow access to un-authenticated nodes.

    Here is my nginx.conf file: http://pastebin.com/q7HMuAZ0

    Here is the config.ru configuration file: http://pastebin.com/1aCdsTJE

    Does anyone see what I am doing wrong? I have already tried deleting
    and recreating certificates for the agent and master.

    Thank you,
    Jon
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/2MBuu8evOokJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJul 12, '12 at 2:34p
activeJul 12, '12 at 3:47p
posts4
users3
websitepuppetlabs.com

People

Translate

site design / logo © 2021 Grokbase