Lots of problems with Puppet 2.7 and Passenger on FreeBSD
166 views
Skip to first unread message
Josh
May 8, 2012, 9:55:52 PM5/8/12
to puppet...@googlegroups.com
Hello,
I continually get error messages about denied requests and can't figure out why...starting to get really frustrated. AFAICT, the SSL stuff doesn't actually work, which makes me think I have something configured incorrectly. This is my first attempt with Passenger. I've previously used Puppet (0.24) with Mongrel and that worked well, I figured I would see how Passenger worked. Seems a lot harder to get going so far.
I can see a signing request, I sign it, seems to work, but the agent never attempts again. If I manually restart the agent I start getting 403s. If I wipe out the SSL files and restart, the same thing happens: start agent, get request, sign, restart agent, 403, rinse and repeat. It worked as [user] but when I changed it to [agent], everything broke, even with the same certificates. These are the errors I see:
May 8 21:36:06 puppet puppet-master[11776]: Denying access: Forbidden request: backup1(192.168.3.9) access to /catalog/backup1.int.domain.com [find] at line 98
May 8 21:36:06 puppet puppet-master[11776]: Forbidden request: backup1(192.168.3.9) access to /catalog/backup1.int.domain.com [find] at line 98
I also had plugin errors and report errors but I turned those options off. I created the master cert with dns_alt_name=puppet, and I see the extension in the cert ONLY for the master's FQDN cert file, the CA cert file doesn't have an alt name (ssl/certs/ca.pem). Neither does ssl/ca/ca_crt.pem. Is this correct? Does the client also need an alt name in its cert?
This, believe it or not, is the default puppet.conf I got on FreeBSD (with comments/whitespace removed, [user] changed to [agent], and my domain replaced):
[agent]
tagmap = /usr/local/etc/puppet/tagmail.conf
lastrunreport = /var/puppet/state/last_run_report.yaml
server = puppet.int.domain.com
clientyamldir = /var/puppet/client_yaml
clientbucketdir = /var/puppet/clientbucket
puppetdlog = /var/puppet/log/puppetd.log
report_server = puppet
runinterval = 10
inventory_port = 8140
classfile = /var/puppet/state/classes.txt
ca_port = 8140
puppetdlockfile = /var/puppet/state/puppetdlock
report = false
localconfig = /var/puppet/state/localconfig
splaylimit = 1800
client_datadir = /var/puppet/client_data
report_port = 8140
lastrunfile = /var/puppet/state/last_run_summary.yaml
graphdir = /var/puppet/state/graphs
statefile = /var/puppet/state/state.yaml
resourcefile = /var/puppet/state/resources.txt
reportserver = puppet
inventory_server = puppet
ca_name = Puppet CA: jail-5.isc.freebsd.org
cakey = /var/puppet/ssl/ca/ca_key.pem
caprivatedir = /var/puppet/ssl/ca/private
capass = /var/puppet/ssl/ca/private/ca.pass
cert_inventory = /var/puppet/ssl/ca/inventory.txt
cadir = /var/puppet/ssl/ca
capub = /var/puppet/ssl/ca/ca_pub.pem
csrdir = /var/puppet/ssl/ca/requests
serial = /var/puppet/ssl/ca/serial
cacert = /var/puppet/ssl/ca/ca_crt.pem
cacrl = /var/puppet/ssl/ca/ca_crl.pem
signeddir = /var/puppet/ssl/ca/signed
autosign = /usr/local/etc/puppet/autosign.conf
masterlog = /var/puppet/log/puppetmaster.log
modulepath = /usr/local/etc/puppet/modules:/usr/share/puppet/modules
ssl_client_header = SSL_CLIENT_S_DN
server_datadir = /var/puppet/server_data
masterhttplog = /var/puppet/log/masterhttp.log
bucketdir = /var/puppet/bucket
ssl_client_verify_header = SSL_CLIENT_VERIFY
fileserverconfig = /usr/local/etc/puppet/fileserver.conf
manifestdir = /usr/local/etc/puppet/manifests
manifest = /usr/local/etc/puppet/manifests/site.pp
rest_authconfig = /usr/local/etc/puppet/auth.conf
yamldir = /var/puppet/yaml
reportdir = /var/puppet/reports
inventory_terminus = facter
plugindest = /var/puppet/lib
privatekeydir = /var/puppet/ssl/private_keys
hostcsr = /var/puppet/ssl/csr_jail-5.isc.freebsd.org.pem
factsource = puppet://puppet/facts/
hostpubkey = /var/puppet/ssl/public_keys/jail-5.isc.freebsd.org.pem
authconfig = /usr/local/etc/puppet/namespaceauth.conf
logdir = /var/puppet/log
httplog = /var/puppet/log/http.log
publickeydir = /var/puppet/ssl/public_keys
pluginsource = puppet://puppet/plugins
privatedir = /var/puppet/ssl/private
factpath = /var/puppet/lib/facter:/var/puppet/facts
hostcert = /var/puppet/ssl/certs/jail-5.isc.freebsd.org.pem
localcacert = /var/puppet/ssl/certs/ca.pem
certdir = /var/puppet/ssl/certs
libdir = /var/puppet/lib
requestdir = /var/puppet/ssl/certificate_requests
pluginsync = false
route_file = /usr/local/etc/puppet/routes.yaml
passfile = /var/puppet/ssl/private/password
hostprivkey = /var/puppet/ssl/private_keys/jail-5.isc.freebsd.org.pem
statedir = /var/puppet/state
hostcrl = /var/puppet/ssl/crl.pem
bindaddress = 0.0.0.0
config = /usr/local/etc/puppet/puppet.conf
pidfile = /var/run/puppet/agent.pid
rrdinterval = 1800
rrddir = /var/puppet/rrd
dblocation = /var/puppet/state/clientconfigs.sqlite3
railslog = /var/puppet/log/rails.log
deviceconfig = /usr/local/etc/puppet/device.conf
devicedir = /var/puppet/devices
templatedir = /var/puppet/templates
archive_file_server = puppet
There is no auth.conf on the client.
This is the puppet.conf on the master, also default and sanitized. There is not and never was a [master] section:
[agent]
tagmap = /usr/local/etc/puppet/tagmail.conf
ca_server = puppet
lastrunreport = /var/puppet/state/last_run_report.yaml
clientyamldir = /var/puppet/client_yaml
clientbucketdir = /var/puppet/clientbucket
puppetdlog = /var/puppet/log/puppetd.log
report_server = puppet
inventory_port = 8140
classfile = /var/puppet/state/classes.txt
ca_port = 8140
puppetdlockfile = /var/puppet/state/puppetdlock
localconfig = /var/puppet/state/localconfig
splaylimit = 1800
client_datadir = /var/puppet/client_data
report_port = 8140
lastrunfile = /var/puppet/state/last_run_summary.yaml
graphdir = /var/puppet/state/graphs
statefile = /var/puppet/state/state.yaml
resourcefile = /var/puppet/state/resources.txt
reportserver = puppet
node_name_value = jail-5.isc.freebsd.org
inventory_server = puppet
ca_name = Puppet CA: jail-5.isc.freebsd.org
cakey = /var/puppet/ssl/ca/ca_key.pem
caprivatedir = /var/puppet/ssl/ca/private
capass = /var/puppet/ssl/ca/private/ca.pass
cert_inventory = /var/puppet/ssl/ca/inventory.txt
cadir = /var/puppet/ssl/ca
capub = /var/puppet/ssl/ca/ca_pub.pem
csrdir = /var/puppet/ssl/ca/requests
serial = /var/puppet/ssl/ca/serial
cacert = /var/puppet/ssl/ca/ca_crt.pem
cacrl = /var/puppet/ssl/ca/ca_crl.pem
signeddir = /var/puppet/ssl/ca/signed
autosign = /usr/local/etc/puppet/autosign.conf
masterlog = /var/puppet/log/puppetmaster.log
modulepath = /usr/local/etc/puppet/modules:/usr/share/puppet/modules
ssl_client_header = SSL_CLIENT_S_DN
server_datadir = /var/puppet/server_data
masterhttplog = /var/puppet/log/masterhttp.log
bucketdir = /var/puppet/bucket
ssl_client_verify_header = SSL_CLIENT_VERIFY
fileserverconfig = /usr/local/etc/puppet/fileserver.conf
manifestdir = /usr/local/etc/puppet/manifests
manifest = /usr/local/etc/puppet/manifests/site.pp
rest_authconfig = /usr/local/etc/puppet/auth.conf
yamldir = /var/puppet/yaml
reportdir = /var/puppet/reports
inventory_terminus = facter
plugindest = /var/puppet/lib
privatekeydir = /var/puppet/ssl/private_keys
hostcsr = /var/puppet/ssl/csr_jail-5.isc.freebsd.org.pem
factsource = puppet://puppet/facts/
hostpubkey = /var/puppet/ssl/public_keys/jail-5.isc.freebsd.org.pem
authconfig = /usr/local/etc/puppet/namespaceauth.conf
dns_alt_names = puppet
logdir = /var/puppet/log
httplog = /var/puppet/log/http.log
publickeydir = /var/puppet/ssl/public_keys
pluginsource = puppet://puppet/plugins
privatedir = /var/puppet/ssl/private
factpath = /var/puppet/lib/facter:/var/puppet/facts
hostcert = /var/puppet/ssl/certs/jail-5.isc.freebsd.org.pem
localcacert = /var/puppet/ssl/certs/ca.pem
certdir = /var/puppet/ssl/certs
libdir = /var/puppet/lib
requestdir = /var/puppet/ssl/certificate_requests
pluginsync = false
route_file = /usr/local/etc/puppet/routes.yaml
passfile = /var/puppet/ssl/private/password
hostprivkey = /var/puppet/ssl/private_keys/jail-5.isc.freebsd.org.pem
statedir = /var/puppet/state
hostcrl = /var/puppet/ssl/crl.pem
bindaddress = 0.0.0.0
config = /usr/local/etc/puppet/puppet.conf
pidfile = /var/run/puppet/apply.pid
rrdinterval = 1800
rrddir = /var/puppet/rrd
dblocation = /var/puppet/state/clientconfigs.sqlite3
railslog = /var/puppet/log/rails.log
deviceconfig = /usr/local/etc/puppet/device.conf
devicedir = /var/puppet/devices
templatedir = /var/puppet/templates
archive_file_server = puppet
This is my auth.conf on the master, copied from -dist (there was none initially):
path ~ ^/catalog/([^/]+)$
method find
allow $1
path ~ ^/node/([^/]+)$
method find
allow $1
path /certificate_revocation_list/ca
method find
allow *
path /report
method save
allow *
path /file
allow *
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
path /certificate_request
auth no
method find, save
allow *
path /
auth any
This is my Apache config on the master:
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLCertificateFile /var/puppet/ssl/certs/puppet.int.domain.com.pem
SSLCertificateKeyFile /var/puppet/ssl/private_keys/puppet.int.domain.com.pem
SSLCertificateChainFile /var/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/puppet/ssl/ca/ca_crt.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/local/etc/puppet/rack/public/
RackBaseURI /
<Directory /local/etc/puppet/rack/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Does anything stand out?
THanks,
Josh
I continually get error messages about denied requests and can't figure out why...starting to get really frustrated. AFAICT, the SSL stuff doesn't actually work, which makes me think I have something configured incorrectly. This is my first attempt with Passenger. I've previously used Puppet (0.24) with Mongrel and that worked well, I figured I would see how Passenger worked. Seems a lot harder to get going so far.
I can see a signing request, I sign it, seems to work, but the agent never attempts again. If I manually restart the agent I start getting 403s. If I wipe out the SSL files and restart, the same thing happens: start agent, get request, sign, restart agent, 403, rinse and repeat. It worked as [user] but when I changed it to [agent], everything broke, even with the same certificates. These are the errors I see:
May 8 21:36:06 puppet puppet-master[11776]: Denying access: Forbidden request: backup1(192.168.3.9) access to /catalog/backup1.int.domain.com [find] at line 98
May 8 21:36:06 puppet puppet-master[11776]: Forbidden request: backup1(192.168.3.9) access to /catalog/backup1.int.domain.com [find] at line 98
I also had plugin errors and report errors but I turned those options off. I created the master cert with dns_alt_name=puppet, and I see the extension in the cert ONLY for the master's FQDN cert file, the CA cert file doesn't have an alt name (ssl/certs/ca.pem). Neither does ssl/ca/ca_crt.pem. Is this correct? Does the client also need an alt name in its cert?
This, believe it or not, is the default puppet.conf I got on FreeBSD (with comments/whitespace removed, [user] changed to [agent], and my domain replaced):
[agent]
tagmap = /usr/local/etc/puppet/tagmail.conf
lastrunreport = /var/puppet/state/last_run_report.yaml
server = puppet.int.domain.com
clientyamldir = /var/puppet/client_yaml
clientbucketdir = /var/puppet/clientbucket
puppetdlog = /var/puppet/log/puppetd.log
report_server = puppet
runinterval = 10
inventory_port = 8140
classfile = /var/puppet/state/classes.txt
ca_port = 8140
puppetdlockfile = /var/puppet/state/puppetdlock
report = false
localconfig = /var/puppet/state/localconfig
splaylimit = 1800
client_datadir = /var/puppet/client_data
report_port = 8140
lastrunfile = /var/puppet/state/last_run_summary.yaml
graphdir = /var/puppet/state/graphs
statefile = /var/puppet/state/state.yaml
resourcefile = /var/puppet/state/resources.txt
reportserver = puppet
inventory_server = puppet
ca_name = Puppet CA: jail-5.isc.freebsd.org
cakey = /var/puppet/ssl/ca/ca_key.pem
caprivatedir = /var/puppet/ssl/ca/private
capass = /var/puppet/ssl/ca/private/ca.pass
cert_inventory = /var/puppet/ssl/ca/inventory.txt
cadir = /var/puppet/ssl/ca
capub = /var/puppet/ssl/ca/ca_pub.pem
csrdir = /var/puppet/ssl/ca/requests
serial = /var/puppet/ssl/ca/serial
cacert = /var/puppet/ssl/ca/ca_crt.pem
cacrl = /var/puppet/ssl/ca/ca_crl.pem
signeddir = /var/puppet/ssl/ca/signed
autosign = /usr/local/etc/puppet/autosign.conf
masterlog = /var/puppet/log/puppetmaster.log
modulepath = /usr/local/etc/puppet/modules:/usr/share/puppet/modules
ssl_client_header = SSL_CLIENT_S_DN
server_datadir = /var/puppet/server_data
masterhttplog = /var/puppet/log/masterhttp.log
bucketdir = /var/puppet/bucket
ssl_client_verify_header = SSL_CLIENT_VERIFY
fileserverconfig = /usr/local/etc/puppet/fileserver.conf
manifestdir = /usr/local/etc/puppet/manifests
manifest = /usr/local/etc/puppet/manifests/site.pp
rest_authconfig = /usr/local/etc/puppet/auth.conf
yamldir = /var/puppet/yaml
reportdir = /var/puppet/reports
inventory_terminus = facter
plugindest = /var/puppet/lib
privatekeydir = /var/puppet/ssl/private_keys
hostcsr = /var/puppet/ssl/csr_jail-5.isc.freebsd.org.pem
factsource = puppet://puppet/facts/
hostpubkey = /var/puppet/ssl/public_keys/jail-5.isc.freebsd.org.pem
authconfig = /usr/local/etc/puppet/namespaceauth.conf
logdir = /var/puppet/log
httplog = /var/puppet/log/http.log
publickeydir = /var/puppet/ssl/public_keys
pluginsource = puppet://puppet/plugins
privatedir = /var/puppet/ssl/private
factpath = /var/puppet/lib/facter:/var/puppet/facts
hostcert = /var/puppet/ssl/certs/jail-5.isc.freebsd.org.pem
localcacert = /var/puppet/ssl/certs/ca.pem
certdir = /var/puppet/ssl/certs
libdir = /var/puppet/lib
requestdir = /var/puppet/ssl/certificate_requests
pluginsync = false
route_file = /usr/local/etc/puppet/routes.yaml
passfile = /var/puppet/ssl/private/password
hostprivkey = /var/puppet/ssl/private_keys/jail-5.isc.freebsd.org.pem
statedir = /var/puppet/state
hostcrl = /var/puppet/ssl/crl.pem
bindaddress = 0.0.0.0
config = /usr/local/etc/puppet/puppet.conf
pidfile = /var/run/puppet/agent.pid
rrdinterval = 1800
rrddir = /var/puppet/rrd
dblocation = /var/puppet/state/clientconfigs.sqlite3
railslog = /var/puppet/log/rails.log
deviceconfig = /usr/local/etc/puppet/device.conf
devicedir = /var/puppet/devices
templatedir = /var/puppet/templates
archive_file_server = puppet
There is no auth.conf on the client.
This is the puppet.conf on the master, also default and sanitized. There is not and never was a [master] section:
[agent]
tagmap = /usr/local/etc/puppet/tagmail.conf
ca_server = puppet
lastrunreport = /var/puppet/state/last_run_report.yaml
clientyamldir = /var/puppet/client_yaml
clientbucketdir = /var/puppet/clientbucket
puppetdlog = /var/puppet/log/puppetd.log
report_server = puppet
inventory_port = 8140
classfile = /var/puppet/state/classes.txt
ca_port = 8140
puppetdlockfile = /var/puppet/state/puppetdlock
localconfig = /var/puppet/state/localconfig
splaylimit = 1800
client_datadir = /var/puppet/client_data
report_port = 8140
lastrunfile = /var/puppet/state/last_run_summary.yaml
graphdir = /var/puppet/state/graphs
statefile = /var/puppet/state/state.yaml
resourcefile = /var/puppet/state/resources.txt
reportserver = puppet
node_name_value = jail-5.isc.freebsd.org
inventory_server = puppet
ca_name = Puppet CA: jail-5.isc.freebsd.org
cakey = /var/puppet/ssl/ca/ca_key.pem
caprivatedir = /var/puppet/ssl/ca/private
capass = /var/puppet/ssl/ca/private/ca.pass
cert_inventory = /var/puppet/ssl/ca/inventory.txt
cadir = /var/puppet/ssl/ca
capub = /var/puppet/ssl/ca/ca_pub.pem
csrdir = /var/puppet/ssl/ca/requests
serial = /var/puppet/ssl/ca/serial
cacert = /var/puppet/ssl/ca/ca_crt.pem
cacrl = /var/puppet/ssl/ca/ca_crl.pem
signeddir = /var/puppet/ssl/ca/signed
autosign = /usr/local/etc/puppet/autosign.conf
masterlog = /var/puppet/log/puppetmaster.log
modulepath = /usr/local/etc/puppet/modules:/usr/share/puppet/modules
ssl_client_header = SSL_CLIENT_S_DN
server_datadir = /var/puppet/server_data
masterhttplog = /var/puppet/log/masterhttp.log
bucketdir = /var/puppet/bucket
ssl_client_verify_header = SSL_CLIENT_VERIFY
fileserverconfig = /usr/local/etc/puppet/fileserver.conf
manifestdir = /usr/local/etc/puppet/manifests
manifest = /usr/local/etc/puppet/manifests/site.pp
rest_authconfig = /usr/local/etc/puppet/auth.conf
yamldir = /var/puppet/yaml
reportdir = /var/puppet/reports
inventory_terminus = facter
plugindest = /var/puppet/lib
privatekeydir = /var/puppet/ssl/private_keys
hostcsr = /var/puppet/ssl/csr_jail-5.isc.freebsd.org.pem
factsource = puppet://puppet/facts/
hostpubkey = /var/puppet/ssl/public_keys/jail-5.isc.freebsd.org.pem
authconfig = /usr/local/etc/puppet/namespaceauth.conf
dns_alt_names = puppet
logdir = /var/puppet/log
httplog = /var/puppet/log/http.log
publickeydir = /var/puppet/ssl/public_keys
pluginsource = puppet://puppet/plugins
privatedir = /var/puppet/ssl/private
factpath = /var/puppet/lib/facter:/var/puppet/facts
hostcert = /var/puppet/ssl/certs/jail-5.isc.freebsd.org.pem
localcacert = /var/puppet/ssl/certs/ca.pem
certdir = /var/puppet/ssl/certs
libdir = /var/puppet/lib
requestdir = /var/puppet/ssl/certificate_requests
pluginsync = false
route_file = /usr/local/etc/puppet/routes.yaml
passfile = /var/puppet/ssl/private/password
hostprivkey = /var/puppet/ssl/private_keys/jail-5.isc.freebsd.org.pem
statedir = /var/puppet/state
hostcrl = /var/puppet/ssl/crl.pem
bindaddress = 0.0.0.0
config = /usr/local/etc/puppet/puppet.conf
pidfile = /var/run/puppet/apply.pid
rrdinterval = 1800
rrddir = /var/puppet/rrd
dblocation = /var/puppet/state/clientconfigs.sqlite3
railslog = /var/puppet/log/rails.log
deviceconfig = /usr/local/etc/puppet/device.conf
devicedir = /var/puppet/devices
templatedir = /var/puppet/templates
archive_file_server = puppet
This is my auth.conf on the master, copied from -dist (there was none initially):
path ~ ^/catalog/([^/]+)$
method find
allow $1
path ~ ^/node/([^/]+)$
method find
allow $1
path /certificate_revocation_list/ca
method find
allow *
path /report
method save
allow *
path /file
allow *
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
path /certificate_request
auth no
method find, save
allow *
path /
auth any
This is my Apache config on the master:
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off
Listen 8140
<VirtualHost *:8140>
SSLEngine on
SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA
SSLCertificateFile /var/puppet/ssl/certs/puppet.int.domain.com.pem
SSLCertificateKeyFile /var/puppet/ssl/private_keys/puppet.int.domain.com.pem
SSLCertificateChainFile /var/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/puppet/ssl/ca/ca_crt.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /usr/local/etc/puppet/rack/public/
RackBaseURI /
<Directory /local/etc/puppet/rack/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
Does anything stand out?
THanks,
Josh
Jo Rhett
May 30, 2012, 6:20:57 PM5/30/12
to puppet...@googlegroups.com
Authorization is handled by auth.conf, you should look at this file. The default syntax which handles this is something like so:
# allow nodes to retrieve their own catalog (ie their configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/LQZ6QHiiiT8J.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.Reply all
Reply to author
Forward
0 new messages