Passenger Problems

[matonb]

I'm having trouble getting puppetmaster to use passenger, it appears to be releated SSL selfsigned certificates but I could be barking up the wrong tree...

 

Puppet Master is hosted on a CentOS 6.0 32bit machine

# yum list installed | grep puppet
facter.i386                        1:1.6.11-1.el6           @puppetlabs-products
mcollective.noarch                 2.0.0-1.el6              @puppetlabs-products
mcollective-common.noarch          2.0.0-1.el6              @puppetlabs-products
puppet.noarch                      2.7.19-1.el6             @puppetlabs-products
puppet-server.noarch               2.7.19-1.el6             @puppetlabs-products
puppetlabs-release.noarch          6-5                      @/puppetlabs-release-6-5.noarch

# gem query --local

*** LOCAL GEMS ***

abstract (1.0.0)
actionmailer (3.0.15)
actionpack (3.0.15)
activemodel (3.0.15, 3.0.10)
activerecord (3.0.15, 3.0.10)
activeresource (3.0.15)
activesupport (3.0.15, 3.0.10)
acts_as_audited (2.0.0)
ancestry (1.2.5)
arel (2.0.10)
audited (3.0.0.rc1)
audited-activerecord (3.0.0.rc1)
builder (2.1.2)
bundler (1.0.15)
daemon_controller (1.0.0)
erubis (2.6.6)
fastthread (1.0.7)
has_many_polymorphs (3.0.0.beta1)
i18n (0.5.0)
jquery-rails (1.0.19)
json (1.6.6)
mail (2.3.3)
mime-types (1.18)
mysql (2.8.1)
net-ldap (0.3.1)
passenger (3.0.17)
polyglot (0.3.3)
rack (1.2.5)
rack-mount (0.6.14)
rack-test (0.5.7)
rails (3.0.15)
railties (3.0.15)
rake (0.9.2.2)
rdoc (3.12)
rest-client (1.6.7)
ruby2ruby (1.3.1)
ruby_parser (2.3.1)
safemode (1.0.1)
scoped_search (2.3.7)
sexp_processor (3.1.0)
stomp (1.1.8)
thor (0.14.6)
treetop (1.4.10)
tzinfo (0.3.33, 0.3.32)
uuidtools (2.1.1)
will_paginate (3.0.3)

 

/etc/httpd/conf.d/puppetmaster.conf

# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Listen 8140

<VirtualHost *:8140>
  SSLEngine      on
#  SSLProtocol    -ALL +SSLv3 +TLSv1
#  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

  SSLCertificateFile      /var/lib/puppet/ssl/certs/puppet.pem
  SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppet.pem
  SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
  SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
  # If Apache complains about invalid signatures on the CRL, you can try disabling
  # CRL checking by commenting the next line, but this is not recommended.
  SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
  SSLVerifyClient optional
  SSLVerifyDepth  1
  SSLOptions      +StdEnvVars

   # This header needs to be set if using a loadbalancer or proxy
#  RequestHeader unset X-Forwarded-For
  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

  DocumentRoot /etc/puppet/rack/public/
  RackBaseURI /
  <Directory /etc/puppet/rack/>
    Options None
    AllowOverride None
    Order allow,deny
    allow from all
  </Directory>
</VirtualHost>

 

/var/log/http/error_log:

[Fri Aug 31 08:54:40 2012] [notice] caught SIGTERM, shutting down
[Fri Aug 31 08:54:40 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Aug 31 08:54:40 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]
[Fri Aug 31 08:54:40 2012] [notice] Digest: generating secret for digest authentication ...
[Fri Aug 31 08:54:40 2012] [notice] Digest: done
[Fri Aug 31 08:54:40 2012] [notice] Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.0-fips Phusion_Passenger/3.0.17 configured -- resuming normal operations

/var/log/messages:

Aug 31 03:59:36 ip-10-226-242-145 puppet-agent[894]: (/File[/var/lib/puppet/lib]) Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet]
Aug 31 03:59:36 ip-10-226-242-145 puppet-agent[894]: (/File[/var/lib/puppet/lib]) Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet] Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet]
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet]
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Using cached catalog
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Could not retrieve catalog; skipping run
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet]

 

On a client node:

# puppet agent --test --verbose
warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: Error 406 on SERVER:
Exiting; failed to retrieve certificate and waitforcert is disabled

 

Nothing in the apache ssl_error log files

 

[matonb]

It turns out that for me at least this problem was caused by using the directory /etc/puppet/rack/ as the document root.

Creating the directory puppetmasterd and moving everything to down a level to /etc/puppet/rack/puppetmasterd (paths updated in apache config of course), everything then started working.