authentication issue with passenger

57 views
Skip to first unread message

Allan Marcus

unread,
Sep 24, 2009, 12:13:31 PM9/24/09
to puppet...@googlegroups.com
Hello,

When I run puppetmasterd (0.25.1.rc1) with webrick, it works fine and
my test client and connect and do everything it needs to do.

When I run pappetmasterd with passenger (2.2.2) I see the following
error in the log:

Thu Sep 24 10:09:43 puppet-dev puppetmasterd[732] <Notice>: Denying
unauthenticated client marcusmini-a.lanl.gov(<ip removed>) access to
fileserver.list

there are a number of related errors all seemingly stemming from this
authentication error.

Any ideas? Any more info that could help?

---
Thanks,

Allan Marcus
505-667-5666

Trevor Vaughan

unread,
Sep 24, 2009, 1:14:48 PM9/24/09
to puppet...@googlegroups.com
Did you happen to turn on Apache's Cert verification?

If so, you'll need to set up a puppet CA on a different port.

Trevor

Allan Marcus

unread,
Sep 24, 2009, 2:15:52 PM9/24/09
to puppet...@googlegroups.com
Umm, I don't think that is the issue. I'm pretty sure this is
something puppet server related. the next line reads:

Thu Sep 24 12:11:31 puppet-dev puppetmasterd[1196] <Notice>: Denying
unauthenticated client marcusmini-a.lanl.gov(128.165.129.167) access
to fileserver.list
Thu Sep 24 12:11:31 puppet-dev puppetmasterd[1196] <Error>: Puppet
Server (Rack): Internal Server Error: Unhandled Exception: "Host
marcusmini-a.lanl.gov(128.165.129.167) not authorized to call
fileserver.list"
Thu Sep 24 12:11:31 puppet-dev puppetmasterd[1196] <Notice>: Denying
unauthenticated client marcusmini-a.lanl.gov(128.165.129.167) access
to fileserver.describe
Thu Sep 24 12:11:31 puppet-dev puppetmasterd[1196] <Error>: Puppet
Server (Rack): Internal Server Error: Unhandled Exception: "Host
marcusmini-a.lanl.gov(128.165.129.167) not authorized to call
fileserver.describe"
Thu Sep 24 12:11:33 puppet-dev puppetmasterd[1196] <Notice>: Denying
unauthenticated client marcusmini-a.lanl.gov(128.165.129.167) access
to puppetmaster.getconfig
Thu Sep 24 12:11:33 puppet-dev puppetmasterd[1196] <Error>: Puppet
Server (Rack): Internal Server Error: Unhandled Exception: "Host
marcusmini-a.lanl.gov(128.165.129.167) not authorized to call
puppetmaster.getconfig"

Where do I set up that machines can access these files?
Why is this different using passenger than webrick?



---
Thanks,

Allan Marcus
505-667-5666



Allan Marcus

unread,
Sep 24, 2009, 6:46:11 PM9/24/09
to puppet...@googlegroups.com
Ug.

does anyone have any idea why my clients can connect just fine when
using webrick but cannot when using passenger? this only happens with
puppetmasterd 0.25.x. When the client tries to connect I see:

puppetmasterd[3485] <Notice>: Starting Puppet server version 0.25.1
puppetmasterd[3485] <Warning>: Denying access: Forbidden request:
marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/facts \
[search\] at line 0
puppetmasterd[3485] <Error>: Forbidden request: marcusmini-
a.lanl.gov(128.165.129.167) access to /file_metadata/facts \[search\]
at line 0
puppetmasterd[3485] <Warning>: Denying access: Forbidden request:
marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/facts \
[find\] at line 0
puppetmasterd[3485] <Error>: Forbidden request: marcusmini-
a.lanl.gov(128.165.129.167) access to /file_metadata/facts \[find\] at
line 0
puppetmasterd[3485] <Warning>: Denying access: Forbidden request:
marcusmini-a.lanl.gov(128.165.129.167) access to /catalog/marcusmini-
a.lanl.gov \[find\] at line 0
puppetmasterd[3485] <Error>: Forbidden request: marcusmini-
a.lanl.gov(128.165.129.167) access to /catalog/marcusmini-a.lanl.gov \
[find\] at line 0
puppetmasterd[3485] <Warning>: Denying access: Forbidden request:
marcusmini-a.lanl.gov(128.165.129.167) access to /file_metadata/
dlanlbaseline/getDefsDate.sh \[find\] at line 0
puppetmasterd[3485] <Error>: Forbidden request: marcusmini-
a.lanl.gov(128.165.129.167) access to /file_metadata/dlanlbaseline/
getDefsDate.sh \[find\] at line 0

If I use the sample auth.conf file and set
auth no
allow *
everything works, but I'm pretty sure that is not a good idea. Since
it all works when using webrick and doesn't work when using passenger,
could the issue be that passenger is not passing the clients certs to
puppetmasterd, and therefore puppetmasterd is thinking the client in
unauthenticated?


---
Thanks,

Allan Marcus
505-667-5666



Silviu Paragina

unread,
Sep 25, 2009, 6:38:49 AM9/25/09
to puppet...@googlegroups.com, timu...@gmail.com
You might be running puppet master under a different user or the puppet
master certificate changed because puppet thinks it has a different
name. Other than that I have no ideea. :-?


Silviu

Allan Marcus

unread,
Sep 25, 2009, 9:52:44 AM9/25/09
to puppet...@googlegroups.com
In both cases puppetmasterd is run as the puppet user, at least
according to ps.

---
Thanks,

Allan Marcus
505-667-5666



Allan Marcus

unread,
Sep 25, 2009, 11:11:19 AM9/25/09
to puppet...@googlegroups.com
it just gets worse. When using a 0.24.8 client against a 0.25.1
server, where the server is running Passenger, nothing I do in the
auth.conf will allow the client to work.

here's my auth.conf:

path /
auth any
allow *

I've also tried:

path /
auth no
allow *


and here are the errors I get. I don't get any of these errors if I
use Webrick.


<Notice>: Denying unauthenticated client marcusmini-
a.lanl.gov(128.165.129.167) access to fileserver.list


<Error>: Puppet Server (Rack): Internal Server Error: Unhandled
Exception: "Host marcusmini-a.lanl.gov(128.165.129.167) not authorized
to call fileserver.list"

<Notice>: Denying unauthenticated client marcusmini-
a.lanl.gov(128.165.129.167) access to fileserver.describe


<Error>: Puppet Server (Rack): Internal Server Error: Unhandled
Exception: "Host marcusmini-a.lanl.gov(128.165.129.167) not authorized
to call fileserver.describe"

<Notice>: Denying unauthenticated client marcusmini-
a.lanl.gov(128.165.129.167) access to puppetmaster.getconfig


<Error>: Puppet Server (Rack): Internal Server Error: Unhandled
Exception: "Host marcusmini-a.lanl.gov(128.165.129.167) not authorized
to call puppetmaster.getconfig"

<Notice>: Denying unauthenticated client marcusmini-
a.lanl.gov(128.165.129.167) access to fileserver.describe


<Error>: Puppet Server (Rack): Internal Server Error: Unhandled
Exception: "Host marcusmini-a.lanl.gov(128.165.129.167) not authorized
to call fileserver.describe"

Is anyone using passenger with 0.25.1?

Christian Hofstaedtler

unread,
Sep 26, 2009, 10:14:33 AM9/26/09
to Puppet Users
What does the client in question say when this happen?
Does this happen all the time?
Did you try with no auth.conf?

Christian

Christian Hofstaedtler

unread,
Sep 26, 2009, 10:26:06 AM9/26/09
to Puppet Users
Also: please check that you have the required settings in the masters
puppet.conf as mentioned in http://github.com/reductivelabs/puppet/blob/master/ext/rack/README

If it still doesn't work, please post a full log from master + server
for a single client run.

Christian

Allan Marcus

unread,
Sep 28, 2009, 12:13:58 PM9/28/09
to puppet...@googlegroups.com
yes, I have all those settings. Attached are the relevant files.

To sum up:

Everything works fine with webrick
Nothing I do can make server 0.25.1 w/passenger work with a 0.24.8
client
Only way I can get server 0.25.1 w/passenger to work with a 0.25.1
client is to have a a wide open auth.conf file

path /
auth any
allow *

Thanks for your help.

client_248.log
client_251.log
puppet.conf
server.log

Allan Marcus

unread,
Sep 28, 2009, 1:16:17 PM9/28/09
to puppet...@googlegroups.com
I think I have it working now.

---
Thanks,

Allan Marcus
505-667-5666



> <client_248.log><client_251.log><puppet.conf><server.log>
>> --~--~---------~--~----~------------~-------~--~----~
>> You received this message because you are subscribed to the Google
>> Groups "Puppet Users" group.
>> To post to this group, send email to puppet...@googlegroups.com
>> To unsubscribe from this group, send email to puppet-users...@googlegroups.com
>> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en
>> -~----------~----~----~----~------~----~------~--~---
>>
>

Paul Lathrop

unread,
Nov 4, 2009, 7:11:59 PM11/4/09
to puppet...@googlegroups.com, al...@lanl.gov
How did you resolve this? I'm having this problem now.

lluis

unread,
Dec 17, 2009, 8:22:40 AM12/17/09
to puppet...@googlegroups.com
We are hitting same problem, how did you solved this?

El dc 04 de 11 de 2009 a les 16:11 -0800, en/na Paul Lathrop va
escriure:

Silviu Paragina

unread,
Dec 17, 2009, 11:37:15 AM12/17/09
to puppet...@googlegroups.com
What's your apache vhost config? Passenger 2.2.2 with 0.25.1 didn't work
for me with the config from the example in 0.25.1 tree
I think there is an error in the 0.25.1 example one.

I had to add:
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e


Silviu

> --


>
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.

> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
>
>

lluis

unread,
Dec 18, 2009, 5:41:51 AM12/18/09
to puppet...@googlegroups.com
our problem was namespaceauth.conf, since we fixed it, our 24.x clients
seems to work with 0.25 and passenger

namespaceauth.conf:
[puppetrunner]
allow 127.0.0.1

[fileserver]
allow *

[puppetmaster]
allow *

[puppetbucket]
allow *

[puppetreports]
allow *

[resource]
allow *

cheers,
Lluís

El dj 17 de 12 de 2009 a les 18:37 +0200, en/na Silviu Paragina va
escriure:

jb

unread,
Jan 8, 2010, 1:30:51 PM1/8/10
to Puppet Users
Thank you Silviu - I just went through a 0.25.2 installation using
passenger 2.2.8 just yesterday and had the same issues which started
this thread:

puppetmasterd[29797]: Puppet Server (Rack): Internal Server Error:
Unhandled Exception: "Host app3.chassis1 10.x.x.x) not authorized to
call fileserver.list"
puppetmasterd[29797]: Denying unauthenticated client app3.chassis1
(10.x.x.x) access to fileserver.list

Your suggestions commends below fixed the issue..

> >>>>> puppet.conf as mentioned inhttp://github.com/reductivelabs/puppet/blob/master/ext/rack/README


>
> >>>>> If it still doesn't work, please post a full log from master + server
> >>>>> for a single client run.
>
> >>>>> Christian
>
> >>> --~--~---------~--~----~------------~-------~--~----~
> >>> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> >>> To post to this group, send email to puppet...@googlegroups.com
> >>> To unsubscribe from this group, send email to puppet-users...@googlegroups.com

> >>> For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en


> >>> -~----------~----~----~----~------~----~------~--~---
>
> >> --~--~---------~--~----~------------~-------~--~----~
> >> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> >> To post to this group, send email to puppet...@googlegroups.com
> >> To unsubscribe from this group, send email to puppet-users...@googlegroups.com

> >> For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en

Christian Hofstaedtler

unread,
Jan 8, 2010, 1:36:17 PM1/8/10
to Puppet Users
You know, this usually means that you don't have these settings in
your puppet.conf, as doc'ed:

Required puppet.conf settings:
[puppetmasterd]
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

-ch

Silviu Paragina

unread,
Jan 9, 2010, 8:30:39 AM1/9/10
to puppet...@googlegroups.com
Christian Hofstaedtler wrote:
> You know, this usually means that you don't have these settings in
> your puppet.conf, as doc'ed:
>
> Required puppet.conf settings:
> [puppetmasterd]
> ssl_client_header = SSL_CLIENT_S_DN
> ssl_client_verify_header = SSL_CLIENT_VERIFY
>
> -ch
>
>
Noted.
Does this work with both passenger 2.2.2, 2.2.5 and above?

Silviu

Reply all
Reply to author
Forward
0 new messages