I'm afraid this is the root cause of your issues ^
> err: Could not retrieve catalog from remote server: Error 403 on
> SERVER: Forbidden request: xx.xxx.xx.xxx(7.12.44.225) access to /
> catalog/vpsXXX.domain.XX [find] at line 0
Yes, your client is trying to fetch a configuration but it is not
authenticated, so the server denies the access.
Fixing this client certificate should fix the issue.
--
Brice Figureau
My Blog: http://www.masterzen.fr/
Well, then these is another bug that is causing this. Because I've
cleaned out the client cert using puppetca, reinstalled puppet on the
client side, verified that the key is getting signed, and I have the
same problem. And this only affects some clients - only ones using
0.25. The ones still on 0.24.8 are great, as are some of the ones on
0.25. So how should I "fix" the client certificate?
David
I don't say it's not a bug, I was just decoding the error message. The
error message says that access to the configuration is denied _because_
the connection is not authenticated. The real question is why this
connection is not authenticated.
The warning outlined above seemed suspect in this respect.
Can you post puppetd --test --debug and puppetmasterd --debug --trace
logs to see if we could get more information.
> And this only affects some clients - only ones using
> 0.25. The ones still on 0.24.8 are great, as are some of the ones on
> 0.25. So how should I "fix" the client certificate?
Do you use webrick, apache+mongrel or something else?
Some of the proxy setup use a different port for some aspect of Puppet
communication (like --ca_port). I'm wondering if that particular client
might not use the wrong port for the catalog access.
It's not asking for an auth.conf, it just says that you don't have one
so it uses default sane rules. It is possible that on your environment
those rules are not sane. If you want to know more about auth.conf
please read the 0.25 release notes.
So same question as the one I sent to David Bishop, how do you run your
master? (ie with mongrel, webrick, passenger?)
It might be possible something on your environment mistakenly let puppet
think your client is not authenticated where it should.
Any thing you might add to the issue would be appreciated.
Yes, this is #2619, which is to me essentially the same issue as in #2617:
http://projects.reductivelabs.com/issues/2617
And all comes down to the fact the client doesn't have
$ssldir/certs/ca.pem, which in turns comes from the fact that the master
doesn't run on top of a 0.25 generated $ssldir.