Nginx/Mongrel Could not retrieve catalog from remote server: Error 403 on SERVER
813 views
Skip to first unread message
Jomo
Jun 8, 2010, 5:06:05 AM6/8/10
to Puppet Users
It works well when I use webrick. The config of nginx is from puppet
wiki, some logs is below, what's wrong?
puppet version:0.25.4
client:
...
...
debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/
var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/state/state.yaml]: Changing mode
debug: /File[/var/lib/puppet/state/state.yaml]: 1 change(s)
debug: /File[/var/lib/puppet/state/state.yaml]/mode: mode changed
'640' to '660'
debug: Finishing transaction -609821268 with 1 changes
debug: Using cached certificate for ca, good until Sat Jun 06 06:20:50
UTC 2015
debug: Using cached certificate for client, good until Sat Jun 06
07:57:22 UTC 2015
debug: Loaded state in 0.00 seconds
debug: Using cached certificate for ca, good until Sat Jun 06 06:20:50
UTC 2015
debug: Using cached certificate for client, good until Sat Jun 06
07:57:22 UTC 2015
debug: Using cached certificate_revocation_list for ca, good until
debug: catalog supports formats: b64_zlib_yaml marshal pson raw yaml;
using pson
err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: client access to /catalog/client [find] at
line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
master:
...
...
debug: No modules mount given; autocreating with default permissions
debug: No path given for plugins mount; creating a special PluginMount
debug: Creating interpreter
debug: Finishing transaction -610695708 with 0 changes
debug: Finishing transaction -610697798 with 0 changes
info: Inserting default '~ ^/catalog/([^/]+)$'(auth) acl because /etc/
puppet/auth.conf doesn't exist
info: Inserting default '/file'(non-auth) acl because /etc/puppet/
auth.conf doesn't exist
info: Inserting default '/certificate_revocation_list/ca'(auth) acl
because /etc/puppet/auth.conf doesn't exist
info: Inserting default '/report'(auth) acl because /etc/puppet/
auth.conf doesn't exist
info: Inserting default '/certificate/ca'(non-auth) acl because /etc/
puppet/auth.conf doesn't exist
info: Inserting default '/certificate/'(non-auth) acl because /etc/
puppet/auth.conf doesn't exist
info: Inserting default '/certificate_request'(non-auth) acl because /
etc/puppet/auth.conf doesn't exist
info: access[/]: defaulting to no access for client
warning: Denying access: Forbidden request: client access to /catalog/
client[find] at line 0
/usr/lib/ruby/1.8/puppet/network/rights.rb:79:in `fail_on_deny'
/usr/lib/ruby/1.8/puppet/network/rest_authconfig.rb:36:in `allowed?'
/usr/lib/ruby/1.8/puppet/network/rest_authorization.rb:21:in
`check_authorization'
/usr/lib/ruby/1.8/puppet/network/http/handler.rb:66:in `process'
/usr/lib/ruby/1.8/mongrel.rb:159:in `process_client'
/usr/lib/ruby/1.8/mongrel.rb:158:in `each'
/usr/lib/ruby/1.8/mongrel.rb:158:in `process_client'
/usr/lib/ruby/1.8/mongrel.rb:285:in `run'
/usr/lib/ruby/1.8/mongrel.rb:285:in `initialize'
/usr/lib/ruby/1.8/mongrel.rb:285:in `new'
/usr/lib/ruby/1.8/mongrel.rb:285:in `run'
/usr/lib/ruby/1.8/mongrel.rb:268:in `initialize'
/usr/lib/ruby/1.8/mongrel.rb:268:in `new'
/usr/lib/ruby/1.8/mongrel.rb:268:in `run'
/usr/lib/ruby/1.8/puppet/network/http/mongrel.rb:22:in `listen'
/usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen'
/usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start'
/usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start'
/usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:122:in `main'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/sbin/puppetmasterd:66
err: Forbidden request: client access to /catalog/client [find] at
line 0
wiki, some logs is below, what's wrong?
puppet version:0.25.4
client:
...
...
debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/
var/lib/puppet/ssl/certs]
debug: /File[/var/lib/puppet/state/state.yaml]: Changing mode
debug: /File[/var/lib/puppet/state/state.yaml]: 1 change(s)
debug: /File[/var/lib/puppet/state/state.yaml]/mode: mode changed
'640' to '660'
debug: Finishing transaction -609821268 with 1 changes
debug: Using cached certificate for ca, good until Sat Jun 06 06:20:50
UTC 2015
debug: Using cached certificate for client, good until Sat Jun 06
07:57:22 UTC 2015
debug: Loaded state in 0.00 seconds
debug: Using cached certificate for ca, good until Sat Jun 06 06:20:50
UTC 2015
debug: Using cached certificate for client, good until Sat Jun 06
07:57:22 UTC 2015
debug: Using cached certificate_revocation_list for ca, good until
debug: catalog supports formats: b64_zlib_yaml marshal pson raw yaml;
using pson
err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: client access to /catalog/client [find] at
line 0
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
master:
...
...
debug: No modules mount given; autocreating with default permissions
debug: No path given for plugins mount; creating a special PluginMount
debug: Creating interpreter
debug: Finishing transaction -610695708 with 0 changes
debug: Finishing transaction -610697798 with 0 changes
info: Inserting default '~ ^/catalog/([^/]+)$'(auth) acl because /etc/
puppet/auth.conf doesn't exist
info: Inserting default '/file'(non-auth) acl because /etc/puppet/
auth.conf doesn't exist
info: Inserting default '/certificate_revocation_list/ca'(auth) acl
because /etc/puppet/auth.conf doesn't exist
info: Inserting default '/report'(auth) acl because /etc/puppet/
auth.conf doesn't exist
info: Inserting default '/certificate/ca'(non-auth) acl because /etc/
puppet/auth.conf doesn't exist
info: Inserting default '/certificate/'(non-auth) acl because /etc/
puppet/auth.conf doesn't exist
info: Inserting default '/certificate_request'(non-auth) acl because /
etc/puppet/auth.conf doesn't exist
info: access[/]: defaulting to no access for client
warning: Denying access: Forbidden request: client access to /catalog/
client[find] at line 0
/usr/lib/ruby/1.8/puppet/network/rights.rb:79:in `fail_on_deny'
/usr/lib/ruby/1.8/puppet/network/rest_authconfig.rb:36:in `allowed?'
/usr/lib/ruby/1.8/puppet/network/rest_authorization.rb:21:in
`check_authorization'
/usr/lib/ruby/1.8/puppet/network/http/handler.rb:66:in `process'
/usr/lib/ruby/1.8/mongrel.rb:159:in `process_client'
/usr/lib/ruby/1.8/mongrel.rb:158:in `each'
/usr/lib/ruby/1.8/mongrel.rb:158:in `process_client'
/usr/lib/ruby/1.8/mongrel.rb:285:in `run'
/usr/lib/ruby/1.8/mongrel.rb:285:in `initialize'
/usr/lib/ruby/1.8/mongrel.rb:285:in `new'
/usr/lib/ruby/1.8/mongrel.rb:285:in `run'
/usr/lib/ruby/1.8/mongrel.rb:268:in `initialize'
/usr/lib/ruby/1.8/mongrel.rb:268:in `new'
/usr/lib/ruby/1.8/mongrel.rb:268:in `run'
/usr/lib/ruby/1.8/puppet/network/http/mongrel.rb:22:in `listen'
/usr/lib/ruby/1.8/puppet/network/server.rb:131:in `listen'
/usr/lib/ruby/1.8/puppet/network/server.rb:146:in `start'
/usr/lib/ruby/1.8/puppet/daemon.rb:128:in `start'
/usr/lib/ruby/1.8/puppet/application/puppetmasterd.rb:122:in `main'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `send'
/usr/lib/ruby/1.8/puppet/application.rb:226:in `run_command'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/lib/ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
/usr/lib/ruby/1.8/puppet/application.rb:217:in `run'
/usr/sbin/puppetmasterd:66
err: Forbidden request: client access to /catalog/client [find] at
line 0
Dan Carley
Jun 8, 2010, 12:01:16 PM6/8/10
to puppet...@googlegroups.com
On 8 June 2010 10:06, Jomo <zha...@gmail.com> wrote:
It works well when I use webrick. The config of nginx is from puppet
wiki, some logs is below, what's wrong?
I suspect that it relates to the use of HTTP headers and Puppet not knowing who the client is from it's certificate.
The wiki documentation assumes that you're launching puppetmasterd with the argument `--ssl_client_header=HTTP_X_SSL_SUBJECT`. It does so in order to maintain configuration compatibility with Pound. But personally, I don't use Pound and prefer to keep Puppet as vanilla as possible. The following (exclusive) `proxy_set_header` directives work fine under for me:
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Client_DN $ssl_client_s_dn;
proxy_set_header X-Client-Verify $ssl_client_verify;
You don't mention what version of Nginx you're using. They'll need adjusting suitably for <0.8.x
Nicolas Szalay
Jun 8, 2010, 12:57:35 PM6/8/10
to puppet...@googlegroups.com
----- "Dan Carley" <dan.c...@gmail.com> a écrit :
I also allow 127.0.0.1 in fileserver.conf (puppetmaster sees connection from localhost, due to nginx proxying)
Nico.
Jomo
Jun 8, 2010, 10:21:58 PM6/8/10
to Puppet Users
It works for me too, thank you.
It should be added to the wiki.
btw, my nginx is 0.8.29.
On 6月9日, 上午12时01分, Dan Carley <dan.car...@gmail.com> wrote:
It should be added to the wiki.
btw, my nginx is 0.8.29.
On 6月9日, 上午12时01分, Dan Carley <dan.car...@gmail.com> wrote:
Jomo
Jun 9, 2010, 11:22:17 PM6/9/10
to Puppet Users
wiki is right, I forgot this: ssl_client_header = HTTP_X_SSL_SUBJECT
Reply all
Reply to author
Forward
0 new messages