Error 403 on SERVER: Forbidden request:
ELTigre
When a client vpsXXX tries to get the catalog it returns this error:
vpsXXX:~# puppetd -tv
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
err: Could not retrieve catalog from remote server: Error 403 on
SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to /
catalog/vpsXXX.domain.XX [find] at line 0
In puppetmaster I see this error;
Sep 11 11:05:07 vps200 puppetmasterd[3705]: Could not resolve
7.12.44.225: no name for 7.12.44.225
Sep 11 11:05:07 vps200 puppetmasterd[3742]: Could not resolve
7.12.44.225: no name for 7.12.44.225
Sep 11 11:05:07 vps200 puppetmasterd[3742]: (access[/]) defaulting to
no access for 7.12.44.225
Sep 11 11:05:07 vps200 puppetmasterd[3742]: Denying access: Forbidden
request: 7.12.44.225(7.12.44.225) access to /catalog/vpsXXX.domain.XX
[find] at line 0
Sep 11 11:05:07 vps200 puppetmasterd[3742]: Forbidden request:
7.12.44.225(7.12.44.225) access to /catalog/vpsXXX.domain.XX [find] at
line 0
Where 7.12.44.225 and vpsXXX.domain.XX are the puppet client and
VPS200 is puppetmaster.
Others puppet clients are working pretty well.
Any ideas?
regards,
Israel.
Brice Figureau
> I'm having this problem :
>
> When a client vpsXXX tries to get the catalog it returns this error:
>
> vpsXXX:~# puppetd -tv
> warning: peer certificate won't be verified in this SSL session
> info: Caching certificate for ca
> warning: peer certificate won't be verified in this SSL session
I'm afraid this is the root cause of your issues ^
> err: Could not retrieve catalog from remote server: Error 403 on
> SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to /
> catalog/vpsXXX.domain.XX [find] at line 0
Yes, your client is trying to fetch a configuration but it is not
authenticated, so the server denies the access.
Fixing this client certificate should fix the issue.
--
Brice Figureau
My Blog: http://www.masterzen.fr/
ELTigre
On Sep 11, 10:58 am, Brice Figureau <brice-pup...@daysofwonder.com>
wrote:
> > I'm having this problem :
>
> > When a client vpsXXX tries to get the catalog it returns this error:
>
> > vpsXXX:~# puppetd -tv
> > warning: peer certificate won't be verified in this SSL session
> > info: Caching certificate for ca
> > warning: peer certificate won't be verified in this SSL session
>
> I'm afraid this is the root cause of your issues ^
>
> > err: Could not retrieve catalog from remote server: Error 403 on
> > SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to /
> > catalog/vpsXXX.domain.XX [find] at line 0
>
> Yes, your client is trying to fetch a configuration but it is not
> authenticated, so the server denies the access.
I run puppetmasterd running this command:
puppetmasterd --debug --verbose --no-daemonize
and when the client connect this is the log from puppetmaster:
err: Could not resolve 67.212.94.125: no name for 7.112.94.125
info: Inserting default '~ ^/catalog/([^/]+)$'(auth) acl because /etc/
puppet/auth.conf doesn't exist
info: Inserting default '/file'(non-auth) acl because /etc/puppet/
auth.conf doesn't exist
info: Inserting default '/certificate_revocation_list/ca'(auth) acl
because /etc/puppet/auth.conf doesn't exist
info: Inserting default '/report'(auth) acl because /etc/puppet/
auth.conf doesn't exist
info: Inserting default '/certificate/ca'(non-auth) acl because /etc/
puppet/auth.conf doesn't exist
info: Inserting default '/certificate/'(non-auth) acl because /etc/
puppet/auth.conf doesn't exist
info: Inserting default '/certificate_request'(non-auth) acl because /
etc/puppet/auth.conf doesn't exist
err: Could not resolve 7.212.94.125: no name for 7.112.94.125
info: access[/]: defaulting to no access for 7.212.94.125
warning: Denying access: Forbidden request: 7.212.94.125(7.212.94.125)
don't know why is asking me this now.
thanks a lot.
regards,
Israel.
David Bishop
Well, then these is another bug that is causing this. Because I've
cleaned out the client cert using puppetca, reinstalled puppet on the
client side, verified that the key is getting signed, and I have the
same problem. And this only affects some clients - only ones using
0.25. The ones still on 0.24.8 are great, as are some of the ones on
0.25. So how should I "fix" the client certificate?
David
Brice Figureau
> On Fri, Sep 11, 2009 at 05:58:11PM +0200, Brice Figureau wrote:
>> On Fri, 2009-09-11 at 08:12 -0700, ELTigre wrote:
>>> I'm having this problem :
>>>
>>> When a client vpsXXX tries to get the catalog it returns this error:
>>>
>>> vpsXXX:~# puppetd -tv
>>> warning: peer certificate won't be verified in this SSL session
>>> info: Caching certificate for ca
>>> warning: peer certificate won't be verified in this SSL session
>> I'm afraid this is the root cause of your issues ^
>>
>>> err: Could not retrieve catalog from remote server: Error 403 on
>>> SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to /
>>> catalog/vpsXXX.domain.XX [find] at line 0
>> Yes, your client is trying to fetch a configuration but it is not
>> authenticated, so the server denies the access.
>>
>> Fixing this client certificate should fix the issue.
>
> Well, then these is another bug that is causing this. Because I've
> cleaned out the client cert using puppetca, reinstalled puppet on the
> client side, verified that the key is getting signed, and I have the
> same problem.
I don't say it's not a bug, I was just decoding the error message. The
error message says that access to the configuration is denied _because_
the connection is not authenticated. The real question is why this
connection is not authenticated.
The warning outlined above seemed suspect in this respect.
Can you post puppetd --test --debug and puppetmasterd --debug --trace
logs to see if we could get more information.
> And this only affects some clients - only ones using
> 0.25. The ones still on 0.24.8 are great, as are some of the ones on
> 0.25. So how should I "fix" the client certificate?
Do you use webrick, apache+mongrel or something else?
Some of the proxy setup use a different port for some aspect of Puppet
communication (like --ca_port). I'm wondering if that particular client
might not use the wrong port for the catalog access.
Brice Figureau
It's not asking for an auth.conf, it just says that you don't have one
so it uses default sane rules. It is possible that on your environment
those rules are not sane. If you want to know more about auth.conf
please read the 0.25 release notes.
So same question as the one I sent to David Bishop, how do you run your
master? (ie with mongrel, webrick, passenger?)
It might be possible something on your environment mistakenly let puppet
think your client is not authenticated where it should.
Andrew Shafer
http://projects.reductivelabs.com/issues/2619
Any thing you might add to the issue would be appreciated.
Brice Figureau
Yes, this is #2619, which is to me essentially the same issue as in #2617:
http://projects.reductivelabs.com/issues/2617
And all comes down to the fact the client doesn't have
$ssldir/certs/ca.pem, which in turns comes from the fact that the master
doesn't run on top of a 0.25 generated $ssldir.