Forbidden request: puppetagent1.example.com(192.168.1.101) access to /certificate_revocation_list/ca [find] at line 99

[kai]

Puppet version: 2.7.14

Puppet master behind apache with mod_proxy load balancer.
I am able to authenticate with the cert as per these headers:

Accept: s
X-SSL-Subject: /CN=puppetagent1.example.com
X-Client-DN: /CN=puppetagent1.example.com
X-Client-Verify: SUCCESS

Any idea what this error means ?
I share my ssl dir on the load balancer and the puppet master.

[Jeff McCune]

On Thu, Jun 14, 2012 at 10:19 AM, kai <kaiv...@gmail.com> wrote:
> Puppet version: 2.7.14
>
> Puppet master behind apache with mod_proxy load balancer.
> I am able to authenticate with the cert as per these headers:
>
> Accept: s
> X-SSL-Subject: /CN=puppetagent1.example.com
> X-Client-DN: /CN=puppetagent1.example.com
> X-Client-Verify: SUCCESS
>
> Any idea what this error means ?

It means the request isn't authorized.

I think your problem is that the headers aren't matched up with the
environment variables you're setting.

In http://goo.gl/R4IoB you have this on the back end:

SetEnvIf X-SSL-Client-DN "(.*)" SSL_CLIENT_S_DN=$1

But this doesn't match the header you're setting on the front end:

RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e

Making this match up should get you closer to your goal.

-Jeff

[kai]

Thank you Jeff, this is exactly what the problem was. I replaced

ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY

with

ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
ssl_client_header = HTTP_X_CLIENT_DN

and it worked. I was following the examples from the Pro Puppet book, but on different servers. Now it all works!