Issue with some puppet agents - "Denying access: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal"

[Leonid Mirsky]

Hi All.

I am having a strange issues when amazon assigns an internal dns from the domU* (ipv6) type.

Here is the errors I get on the puppet master:

Nov  7 13:51:38 ip-10-28-107-81 puppet-master[28632]: Signed certificate request for 4019_domu-12-31-39-0e-89-82.compute-1.internal
Nov  7 13:51:38 ip-10-28-107-81 puppet-master[28632]: Removing file Puppet::SSL::CertificateRequest 4019_domu-12-31-39-0e-89-82.compute-1.internal at '/var/lib/puppet/ssl/ca/requests/4019_domu-12-31-39-0e-89-82.compute-1.internal.pem'
Nov  7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Denying access: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to /node/4019_domU-12-31-39-0E-89-82.compute-1.internal [find] at :115
Nov  7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to /node/4019_domU-12-31-39-0E-89-82.compute-1.internal [find] at :115
Nov  7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Denying access: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to /file_metadata/plugins [search] at :115
Nov  7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to /file_metadata/plugins [search] at :115
Nov  7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Denying access: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to /file_metadata/plugins [find] at :115
Nov  7 13:51:38 ip-10-28-107-81 puppet-master[24868]: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to /file_metadata/plugins [find] at :115
Nov  7 13:51:40 ip-10-28-107-81 puppet-master[28632]: Denying access: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to /catalog/4019_domU-12-31-39-0E-89-82.compute-1.internal [find] at :115
Nov  7 13:51:40 ip-10-28-107-81 puppet-master[28632]: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to /catalog/4019_domU-12-31-39-0E-89-82.compute-1.internal [find] at :115
Nov  7 13:51:40 ip-10-28-107-81 puppet-master[28632]: Denying access: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to /report/4019_domU-12-31-39-0E-89-82.compute-1.internal [save] at :115
Nov  7 13:51:40 ip-10-28-107-81 puppet-master[28632]: Forbidden request: domU-12-31-39-0E-89-82.compute-1.internal(10.192.138.112) access to /report/4019_domU-12-31-39-0E-89-82.compute-1.internal [save] at :115

The node is configured with:

certname = 4019_domu-12-31-39-0e-89-82.compute-1.internal

I am using:

puppet master version 3.3.0

puppet agent version 3.3.1

The /etc/puppet/auth.conf is as follows (default):

path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow nodes to retrieve their own node definition
path ~ ^/node/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their own reports
path ~ ^/report/([^/]+)$
method save
allow $1
# Allow all nodes to access all file services; this is necessary for
# pluginsync, file serving from modules, and file serving from custom
# mount points (see fileserver.conf). Note that the `/file` prefix matches
# requests to both the file_metadata and file_content paths. See "Examples"
# above if you need more granular access control for custom mount points.
path /file
allow *
### Unauthenticated ACLs, for clients without valid certificates; authenticated
### clients can also access these paths, though they rarely need to.
# allow access to the CA certificate; unauthenticated nodes need this
# in order to validate the puppet master's certificate
path /certificate/ca
auth any
method find
allow *
# allow nodes to retrieve the certificate they requested earlier
path /certificate/
auth any
method find
allow *
# allow nodes to request a new certificate
path /certificate_request
auth any
method find, save
allow *
# deny everything else; this ACL is not strictly necessary, but
# illustrates the default policy.
path /
auth any

Can anybody please help to debug this issue?