puppet auth.conf permission denied

473 views
Skip to first unread message

bjoern pohl

unread,
Mar 17, 2014, 4:45:02 AM3/17/14
to puppet...@googlegroups.com
Hi,
i've got a strange problem with my server-side /etc/puppet/auth.conf.

The auth.conf is out-of-the-box, so the cert stuff looks basically like this:

# allow access to the CA certificate; unauthenticated nodes need this
# in order to validate the puppet master's certificate
path /certificate/ca
auth any
method find
allow *

# allow nodes to retrieve the certificate they requested earlier
path /certificate/
auth any
method find
allow *

# allow nodes to request a new certificate
path /certificate_request
auth any
method find, save
allow *

# deny everything else; this ACL is not strictly necessary, but
# illustrates the default policy.
path /
auth any

Now, when a client connects to the server (for the first time, so it shoud be the cert request), I get "400 permission denied" for all clients.
Network connectivity works, no iptables, 8140 is open and when I relax my auth.conf to something like this:

path /
auth any
allow *

clients can register and everything works. Now, this is nothing I want to have in production :)

a debug run with the master ( puppet master --no-daemonize --debug --trace --verbose) gives me a lot of information, but not what makes the master throw a permission denied. (and especially what rule in the auth.conf makes him do so...)

Any idea what might be wrong here? 

Master is a 3.4.3.

thanks & best regards,
Björn



bjoern pohl

unread,
Mar 17, 2014, 7:56:33 AM3/17/14
to puppet...@googlegroups.com
Answering myself :)
Actualle the error message was a bit misleading:
Error: Could not request certificate: Error 400 on SERVER: Permission denied - /etc/puppet/auth.conf
This was not because of the content IN the auth.conf , it was because of missing file permissions: the /etc/puppet directory was not readable by the puppetmaster which runs as the "puppet" user.
Everything solved now :)

Just one thing unclear: My "danger-mode" auth.conf was in this directory too, and worked for half a year on the dev system ( where I was able to reproduce the problem)... strange...

bjoern pohl

unread,
Mar 17, 2014, 8:03:37 AM3/17/14
to puppet...@googlegroups.com
By the way: this was a plain RPM install from puppet's yum repo ( RH EL6). Don't know if this directory permission stuff was intended and has to be manually aligned when using the RPM to run as a master...
Reply all
Reply to author
Forward
0 new messages