Re: Puppet Master Forbidding Access to Cert Revocation List

[kp-v]

I don't think there is an issue with my configuration. I believe I am running into issues with indirector.rb not finding the correct terminus for my certificate revocation list.

On Wednesday, August 8, 2012 10:21:05 AM UTC-7, kp-v wrote:

Hey folks;

I am having issues retrieving the catalog from my master. It seems to be an issue with the ACLs for the /certificate_revocation_list/ca, however it still produces an error when I set the ACLs to allow everything! I am almost certain it has something to do with my non-default installation. Puppet gurus please assit me. Any and all advice would be helpful. P.S. I have not had issues with Passenger up until I changed the installation root except excessively long (400 sec) SSL sessions for initial runs.

I am running an agent/master configuration with passenger (CentOS 6.2). I installed puppet from source and my file structure looks like this:

/opt/puppet

• /opt/puppet/etc
  
• /opt/puppet/etc/puppet
• /opt/puppet/usr
  
• /opt/puppet/usr/bin
• /opt/puppet/usr/sbin
• /opt/puppet/usr/share
• /opt/puppet/var
  
• /opt/puppet/var/ssl

My master is able to receive and complete the certificate handshake process. On an agent, after having received confirmation that the handshake completed, it attempts to find /certificate_revocation_list/ca but fails. It produces this error (full trace):

 /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:56:in `deserialize'

/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find'

/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find'

/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'

/usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:230:in `ssl_store'

/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in `cert_setup'

/usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:98:in `http_instance'

/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:71:in `network'

/usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:75:in `find'

/usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:188:in `find'

/usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'

/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:240:in `retrieve_new_catalog'

/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:403:in `thinmark'

/usr/lib/ruby/1.8/benchmark.rb:308:in `realtime'

/usr/lib/ruby/site_ruby/1.8/puppet/util.rb:402:in `thinmark'

/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:239:in `retrieve_new_catalog'

/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:86:in `retrieve_catalog'

/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:111:in `retrieve_and_apply_catalog'

/usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:150:in `run'

/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'

/usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'

/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'

/usr/lib/ruby/1.8/sync.rb:230:in `synchronize'

/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:39:in `run'

/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:103:in `with_client'

/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:37:in `run'

/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `call'

/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:172:in `controlled_run'

/usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:35:in `run'

/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:114:in `onetime'

/usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:88:in `run_command'

/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'

/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:420:in `hook'

/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'

/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:411:in `exit_on_fail'

/usr/lib/ruby/site_ruby/1.8/puppet/application.rb:305:in `run'

/usr/sbin/puppetd:4

err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: hostname.fqdn.int (NNN.NNN.NNN.NNN) access to /certificate_revocation_list/ca [find] at line 0

warning: Not using cache on failed catalog

err: Could not retrieve catalog; skipping run

The syslog on the master produces this error:

Aug  8 10:10:16 eng-puppet-vm2 puppet-master[15352]: Forbidden request: hostname.fqdn.int (NNN.NNN.NNN.NNN) access to /certificate_revocation_list/ca [find] at line 0

Here is a look at my configurations:

auth.conf

path /facts

method find,search

auth yes

allow hostname.fqdn.int

path ~ ^/catalog/([^/]+)$

method find

allow $1

path /certificate_revocation_list/ca

method find

allow *

path /report

method save

allow *.fqdn.int

allow NNN.NNN.NNN.NNN/16

path /file

allow *

path /certificate/ca

auth no

method find

allow *

path /certificate/

auth no

method find

allow *

path /certificate_request

auth no

method find, save

allow *

path /

auth any

puppet.conf  

[main]

    server = hostname.fqdn.int

    logdir = /var/log/puppet

    puppetdlog = /var/log/puppet/puppet.log

    rundir = /var/run/puppet

    #ssldir = $vardir/ssl:/etc/puppet/ssl

    modulepath = /opt/puppet/etc/puppet/modules:/usr/share/puppet/modules

    runinterval=900

[master]

    ssldir = /opt/puppet/var/ssl

    facts_terminus = yaml

    ssl_client_header = SSL_CLIENT_S_DN

    ssl_client_verify_header = SSL_CLIENT_VERIFY

[agent]

    classfile = $vardir/classes.txt

    clientbucketdir = $vardir/client_bucket

    clientyamldir = $vardir/client_yaml

    ssldir = $vardir/ssl

[kp-v]

I was pretty close with my first guess, but I might have figured it out. I have not resolved the issue, however I am certain of the issue at hand. In 2.6.16, puppet only searches for the auth.conf file at /etc/puppet/auth.conf and this path appears to be hardcoded. Therefore, because puppet cannot find the auth.conf file, it denies access to everything (all four indirector verbs) within the / (puppet) directory. I have yet to try symlinking the file to /etc/puppet/auth.conf to attempt to fix, however this defeats the purpose of installing in /opt. I doubt that this is a bug because I followed a non-standard installation process. I will post again if I figure out how to patch it.