Error sending reports to dashboard

1,288 views
Skip to first unread message

Mohamed Lrhazi

unread,
Mar 21, 2011, 7:12:20 PM3/21/11
to puppet...@googlegroups.com
[master]
reports = log, store, http
reporturl = https://puppet-test.uis.example.com/reports/upload

am running dashboar in the same host as puppetmaster, which is
puppet-test, both behind apache/phusion.

reports fail and master logs:

Report http failed: wrong status line: "<!DOCTYPE HTML PUBLIC
\"-//IETF//DTD HTML 2.0//EN\">"

How can I furthe rdebug this? am using dashboard for a github checkout
and puppet 2.6.3


Thanks a lot.
Mohamed.

Mohamed Lrhazi

unread,
Mar 22, 2011, 12:28:50 AM3/22/11
to puppet...@googlegroups.com
If I run the dash-board directly, with built-in web-server, on default
port, and remove the reporturl , reports are posted successfully!

Any idea what I am missing for a behind apache/Phusion setup?

Thanks a lot.
Mohamed.

Mohamed Lrhazi

unread,
Mar 22, 2011, 12:41:03 AM3/22/11
to puppet...@googlegroups.com
I enabled debug log level in apache virtual and it seems like
puppetmaster is trying to speak http, instead of https.
Is https not supported for posting reports?

[Tue Mar 22 00:39:43 2011] [debug] ssl_engine_io.c(1819): OpenSSL:
read 11/11 bytes from BIO#2b225d284100 [mem: 2b225d2f9650] (BIO dump
follows)
[Tue Mar 22 00:39:43 2011] [debug] ssl_engine_io.c(1766):
+-------------------------------------------------------------------------+
[Tue Mar 22 00:39:43 2011] [debug] ssl_engine_io.c(1791): | 0000: 50
4f 53 54 20 2f 72 65-70 6f 72 POST /repor |
[Tue Mar 22 00:39:43 2011] [debug] ssl_engine_io.c(1797):
+-------------------------------------------------------------------------+
[Tue Mar 22 00:39:43 2011] [debug] ssl_engine_kernel.c(1838): OpenSSL:
Exit: error in SSLv2/v3 read client hello A
[Tue Mar 22 00:39:43 2011] [info] [client 141.161.245.113] SSL
handshake failed: HTTP spoken on HTTPS port; trying to send HTML error
page
[Tue Mar 22 00:39:43 2011] [info] SSL Library Error: 336027804
error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
speaking HTTP to HTTPS port!?

Patrick

unread,
Apr 11, 2011, 12:14:46 PM4/11/11
to puppet...@googlegroups.com
Bump. Anyone know the answer? Can puppet use https to post reports? I'm having trouble sending reports using https too, although I haven't yet found anything useful in the logs.

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>

Mohamed Lrhazi

unread,
Apr 11, 2011, 12:55:10 PM4/11/11
to puppet...@googlegroups.com
I did not find any reference.... I just added a second apache virtual
server to do http on port 80.

Felix Frank

unread,
Apr 12, 2011, 3:12:35 AM4/12/11
to puppet...@googlegroups.com
On 04/11/2011 06:55 PM, Mohamed Lrhazi wrote:
> I did not find any reference.... I just added a second apache virtual
> server to do http on port 80.
>
> On Mon, Apr 11, 2011 at 12:14 PM, Patrick <kc7...@gmail.com> wrote:
>> Bump. Anyone know the answer? Can puppet use https to post reports? I'm having trouble sending reports using https too, although I haven't yet found anything useful in the logs.

Hi,

I'm clueless, but from a technical angle, you can use another workaround
if you need your reports to be encrypted en route.

Use a local HTTP reporturl, have stunnel listen to the local HTTP port
and connect to the remote HTTPS. The agent can speak HTTP while the
dashboard should dutifully receive HTTPS.

HTH,
Felix

Cody Robertson

unread,
Apr 14, 2011, 6:54:43 PM4/14/11
to puppet...@googlegroups.com
Although I don't know the answer I'm curious as to why you're worried about using HTTPS when you're sending the reports locally? There is no need to encrypt the ports if you're just sending them to the same machine / localhost.

Mohamed Lrhazi

unread,
Apr 14, 2011, 10:19:22 PM4/14/11
to puppet...@googlegroups.com
Sure. but if you already configured access to puppetmaster on HTTPS,
it would be nice to use it, instead of adding and maintaining another
setup for HTTP access.

Patrick

unread,
Apr 15, 2011, 1:17:16 AM4/15/11
to puppet...@googlegroups.com

On Apr 14, 2011, at 3:54 PM, Cody Robertson wrote:

> Although I don't know the answer I'm curious as to why you're worried about using HTTPS when you're sending the reports locally? There is no need to encrypt the ports if you're just sending them to the same machine / localhost.

In my case, I wanted to run dashboard using SSL (for when I connect remotely, so the passwords aren't in cleartext). It would have been easier for me if I was able to set the only instance of dashboard (set of instances?) running under passenger to be SSL. I understand this would have been a waste of CPU, but I believe the difference in CPU usage would have been negligible.

A real case that might eventually happen is this is if I use authentication on sending reports, and the puppetmaster sending the report isn't on the same lan. I'll admit it doesn't help if send to "localhost" but I consider that beside the point.

Patrick

unread,
Apr 15, 2011, 1:18:29 AM4/15/11
to puppet...@googlegroups.com
My point exactly for now, though there are reasons to send reports over HTTPS that I mentioned in my response.

Michael Altfield

unread,
Jun 15, 2012, 12:28:23 PM6/15/12
to puppet...@googlegroups.com
Hi,

I'm also having this issue running puppet-2.7.16 & puppet-dashboard-1.2.9 on CentOS 6.2. Has there been any solution to this yet besides running redundant vhosts?

In either case, can you please post your apache vhost configuration files?


On Monday, April 11, 2011 12:55:10 PM UTC-4, Mohamed wrote:
I did not find any reference.... I just added a second apache virtual
server  to do http on port 80.

>> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.


>> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.

> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.

Jo Rhett

unread,
Jun 15, 2012, 8:45:20 PM6/15/12
to puppet...@googlegroups.com
Michael, I would configure report delivery via http and user access via https. Simple "Allow" rules for your host netblocks plus a rewrite to https based on the browser-agent would meet your needs. It WFM ;-)

To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/wwnktt7LihAJ.

To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

-- 
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.



Patrick

unread,
Sep 13, 2012, 12:36:21 AM9/13/12
to puppet...@googlegroups.com
I wanted to configure the puppet dashboard to require authentication of client certs and had to modify the previous script to get it to send the client certificate. I also adjusted it to use the puppet CA cert to verify the remote server as well. Simple changes, but providing it in case anyone else wants to lock down their dashboard (or other report collector).
It uses the cert settings as configured in puppet.conf.


require 'puppet'
require 'net/http'
require 'net/https'
require 'uri'

Puppet::Reports.register_report(:https) do

  desc <<-DESC
  Send report information via HTTPS to the `reporturl`. Each host sends
  its report as a YAML dump and this sends this YAML to a client via HTTPS POST.
  The YAML is the `report` parameter of the request."
  DESC

  def process
    url = URI.parse(Puppet[:reporturl].to_s)
    http = Net::HTTP.new(url.host, url.port)
    http.use_ssl = true
    http.cert = OpenSSL::X509::Certificate.new(File.read(Puppet[:hostcert].to_s))
    http.key = OpenSSL::PKey::RSA.new(File.read(Puppet[:hostprivkey].to_s))
    http.ca_file = Puppet[:localcacert].to_s
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER

    req = Net::HTTP::Post.new(url.path)
    req.body = self.to_yaml
    req.content_type = "application/x-yaml"

    http.start do |http|
      response = http.request(req)
      unless response.code == "200"
        Puppet.err "Unable to submit report to #{Puppet[:reporturl].to_s} [#{response.code}] #{response.msg}"
      end
    end

  end
end




On Wednesday, July 4, 2012 9:13:49 AM UTC-4, Julien wrote:
Hi,

In your puppet.conf, change :

[master]
  reports = log, store, https
  reporturl = https://puppet-test.uis.example.com:443/reports/upload

Then add in your reports folder (under debian with puppetlabs packets) ;

/usr/lib/ruby/1.8/puppet/reports/https.rb :

require 'puppet'
require 'net/http'
require 'net/https'
require 'uri'

Puppet::Reports.register_report(:https) do

  desc <<-DESC
  Send report information via HTTPS to the `reporturl`. Each host sends
  its report as a YAML dump and this sends this YAML to a client via HTTPS POST.
  The YAML is the `report` parameter of the request."
  DESC

  def process
    url = URI.parse(Puppet[:reporturl].to_s)
    http = Net::HTTP.new(url.host, url.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE

    req = Net::HTTP::Post.new(url.path)
    req.body = self.to_yaml
    req.content_type = "application/x-yaml"

    http.start do |http|
      response = http.request(req)
      unless response.code == "200"
        Puppet.err "Unable to submit report to #{Puppet[:reporturl].to_s} [#{response.code}] #{response.msg}" 
      end
    end

  end
end

Found in the VM Labs shipped by puppetlabs.

Julien

Reply all
Reply to author
Forward
0 new messages