Just to add: in the puppet masterlog it shows below. What causes the
"Could not resolve 192.168.2.3: no name for 192.168.2.3" ?
I'm running inside Eucalyptus, where the domainname is strange.
Also, with exactly the same configuration/certs, if I run
puppetmasterd directly, it works fine.
Thanks a lot!
-Yushu
Aug 13 23:43:22 ubuntu puppetmasterd[10619]: Handling request: GET /
production/certificate_revocation_list/ca
Aug 13 23:43:22 ubuntu puppetmasterd[10619]: Could not resolve
192.168.2.3: no name for 192.168.2.3
Aug 13 23:43:22 ubuntu puppetmasterd[10619]: (access[/]) defaulting to
no access for 192.168.2.3
Aug 13 23:43:22 ubuntu puppetmasterd[10619]: Denying access: Forbidden
request: 192.168.2.3(192.168.2.3) access to /
certificate_revocation_list/ca [find] at line 93
Aug 13 23:43:22 ubuntu puppetmasterd[10619]: Forbidden request:
192.168.2.3(192.168.2.3) access to /certificate_revocation_list/ca
[find] at line 93
On Aug 13, 3:18 pm, Yushu Yao <yao.yu...@gmail.com> wrote:
> Hi Experts,
>
> I'm trying to run puppet via passenger _ apache2 on ubuntu 10.04 64bit and
> it refuse to work with an error:
>
> *err: Could not retrieve catalog from remote server: Error 403 on SERVER:
> Forbidden request: 192.168.2.3(192.168.2.3) access to
> /certificate_revocation_list/ca [find] at line 93*
>
> I googled around and found this problem was discussed some time ago, but
> there was no clear fix.
>
> Any help is appreciated.
>
> A side question is where are the logs of puppetmaster stored? They are not
> in /var/log/messages nor $logdir/*
>
> Thanks a lot.
>
> -Yushu
>
> *dpkg -l|grep apache*
>
> ii apache2 2.2.14-5ubuntu8 Apache HTTP
> Server metapackage
> ii apache2-mpm-worker 2.2.14-5ubuntu8 Apache HTTP
> Server - high speed threaded mod
> ii apache2-utils 2.2.14-5ubuntu8 utility
> programs for webservers
> ii apache2.2-bin 2.2.14-5ubuntu8 Apache HTTP
> Server common binary files
> ii apache2.2-common 2.2.14-5ubuntu8 Apache HTTP
> Server common files
> ii libapache2-mod-passenger 2.2.7debian-1 Rails and
> Rack support for Apache2
> ii libapache2-mod-wsgi 2.8-2ubuntu1 Python WSGI
> adapter module for Apache
>
> *dpkg -l|grep ruby*
> ii libaugeas-ruby1.8 0.2.0-2ubuntu3 Augeas
> bindings for the Ruby language
> ii libopenssl-ruby 4.2 OpenSSL
> interface for Ruby
> ii libopenssl-ruby1.8 1.8.7.249-2 OpenSSL
> interface for Ruby 1.8
> ii librack-ruby 1.1.0-3 A modular
> Ruby webserver interface
> ii librack-ruby1.8 1.1.0-3 A modular
> Ruby webserver interface (Ruby 1.8
> ii libreadline-ruby1.8 1.8.7.249-2 Readline
> interface for Ruby 1.8
> ii libruby 4.2 Libraries
> necessary to run Ruby 1.8.x
> ii libruby1.8 1.8.7.249-2 Libraries
> necessary to run Ruby 1.8
> ii libshadow-ruby1.8 1.4.1-8build1 Interface
> of shadow password for Ruby 1.8
> ii libxmlrpc-ruby 4.2
> transitional dummy package
> ii rdoc 4.2 Generate
> documentation from ruby source file
> ii ruby 4.2 An
> interpreter of object-oriented scripting
> ii ruby1.8 1.8.7.249-2 Interpreter
> of object-oriented scripting lan
> ii rubygems 1.3.5-1ubuntu2 package
> management framework for Ruby librar
> ii rubygems1.8 1.3.5-1ubuntu2 package
> management framework for Ruby librar
>
> *cat ../puppetrack/puppetmasterd/config.ru *
> # a config.ru, for use with every rack-compatible webserver.
> # SSL needs to be handled outside this, though.
>
> # if puppet is not in your RUBYLIB:
> # $:.unshift('/opt/puppet/lib')
>
> $0 = "puppetmasterd"
> require 'puppet'
>
> # if you want debugging:
> ARGV << "--debug"
>
> ARGV << "--rack"
> require 'puppet/application/puppetmasterd'
> # we're usually running inside a Rack::Builder.new {} block,
> # therefore we need to call run *here*.
> run Puppet::Application[:puppetmasterd].run
>
> *cat /etc/puppet/puppet.conf*
> [main]
> pluginsync = true
>
> [puppetmasterd]
> confdir=/opt/cloudcrv/puppet
> vardir=/opt/cloudcrv/varpuppet
> ssldir = $vardir/ssl
> user = cloudcrv
>
> # The Puppet log directory.
> # The default value is '$vardir/log'.
> logdir = $vardir/log
>
> # Where Puppet PID files are kept.
> # The default value is '$vardir/run'.
> rundir = $vardir/run
>
> # Where SSL certificates are kept.
> # The default value is '$confdir/ssl'.
> ssldir = $vardir/ssl
>
> rails_loglevel = debug
>
> *cat /etc/apache2/sites-available/puppetmaster *
>
> # you probably want to tune these settings
> PassengerHighPerformance on
> PassengerMaxPoolSize 12
> PassengerPoolIdleTime 1500
> # PassengerMaxRequests 1000
> PassengerStatThrottleRate 120
> RackAutoDetect Off
> RailsAutoDetect Off
>
> Listen 8140
>
> <VirtualHost *:8140>
> ServerName 192.168.2.4
> SSLEngine on
> SSLProtocol -ALL +SSLv3 +TLSv1
> SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
>
> SSLCertificateFile
> /opt/cloudcrv/varpuppet/ssl/certs/192.168.2.4.pem
> SSLCertificateKeyFile
> /opt/cloudcrv/varpuppet/ssl/private_keys/192.168.2.4.pem
> SSLCertificateChainFile /opt/cloudcrv/varpuppet/ssl/ca/ca_crt.pem
> SSLCACertificateFile /opt/cloudcrv/varpuppet/ssl/ca/ca_crt.pem
> # If Apache complains about invalid signatures on the CRL, you can
> try disabling
> # CRL checking by commenting the next line, but this is not
> recommended.
> #SSLCARevocationFile /opt/cloudcrv/varpuppet/ssl/ca/ca_crl.pem
> SSLVerifyClient optional
> SSLVerifyDepth 1
> SSLOptions +StdEnvVars
>
> DocumentRoot /opt/cloudcrv/puppetrack/puppetmasterd/public
> RackBaseURI /
> <Directory /opt/cloudcrv/puppetrack/puppetmasterd/public >
> Options None
> AllowOverride None
> Order allow,deny
> allow from all
> </Directory>
> </VirtualHost>
>
> *Client Error Message:*
> -bash-3.2# puppetd --test --debug --server=192.168.2.4 --trace
> debug: Puppet::Type::User::ProviderLdap: true value when expecting false
> debug: Puppet::Type::User::ProviderUser_role_add: file rolemod does not
> exist
> debug: Puppet::Type::User::ProviderPw: file pw does not exist
> debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does
> not exist
> debug: Failed to load library 'ldap' for feature 'ldap'
> debug: /File[/etc/puppet/ssl/private_keys/192.168.2.3.pem]: Autorequiring
> File[/etc/puppet/ssl/private_keys]
> debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet]
> debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
> debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
> debug: /File[/var/lib/puppet/clientbucket]: Autorequiring
> File[/var/lib/puppet]
> debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
> File[/etc/puppet/ssl]
> debug: /File[/var/lib/puppet/state/graphs]: Autorequiring
> File[/var/lib/puppet/state]
> debug: /File[/etc/puppet/ssl/certs/192.168.2.3.pem]: Autorequiring
> File[/etc/puppet/ssl/certs]
> debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring
> File[/etc/puppet/ssl/certs]
> debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
> debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring
> File[/etc/puppet/ssl]
> debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet]
> debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
> debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
> debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
> debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring
> File[/etc/puppet/ssl]
> debug: /File[/var/lib/puppet/client_yaml]: Autorequiring
> File[/var/lib/puppet]
> debug: Finishing transaction 70037710483600 with 0 changes
> debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet]
> debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring
> File[/etc/puppet/ssl]
> debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
> debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
> debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring
> File[/etc/puppet/ssl]
> debug: /File[/etc/puppet/ssl/certs/192.168.2.3.pem]: Autorequiring
> File[/etc/puppet/ssl/certs]
> debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
> debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
> debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring
> File[/etc/puppet/ssl/certs]
> debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
> debug: /File[/etc/puppet/ssl/private_keys/192.168.2.3.pem]: Autorequiring
> File[/etc/puppet/ssl/private_keys]
> debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring
> File[/etc/puppet/ssl]
> debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet]
> debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
> debug: Finishing transaction 70037709988180 with 0 changes
> debug: Using cached certificate for ca
> debug: Using cached certificate for 192.168.2.3
> debug: Finishing transaction 70037709743040 with 0 changes
> debug: Using cached certificate for ca
> debug: Using cached certificate for 192.168.2.3
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:55:in `deserialize'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:202:in `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:215:in `ssl_store'
> /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:56:in `cert_setup'
> /usr/lib/ruby/site_ruby/1.8/puppet/network/http_pool.rb:98:in
> `http_instance'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:65:in `network'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/rest.rb:69:in `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:202:in `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:51:in `find'
> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:208:in
> `retrieve_new_catalog'
> /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:418:in `thinmark'
> /usr/lib/ruby/1.8/benchmark.rb:293:in `measure'
> /usr/lib/ruby/1.8/benchmark.rb:307:in `realtime'
> /usr/lib/ruby/site_ruby/1.8/puppet/util.rb:417:in `thinmark'
> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:207:in
> `retrieve_new_catalog'
> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:104:in `retrieve_catalog'
> /usr/lib/ruby/site_ruby/1.8/puppet/configurer.rb:142:in `run'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent/locker.rb:21:in `lock'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'
> /usr/lib/ruby/1.8/sync.rb:229:in `synchronize'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:53:in `run'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:134:in `with_client'
> /usr/lib/ruby/site_ruby/1.8/puppet/agent.rb:51:in `run'
> /usr/lib/ruby/site_ruby/1.8/puppet/application/puppetd.rb:103:in `onetime'
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `send'
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:226:in `run_command'
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:306:in `exit_on_fail'
> /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:217:in `run'
> /usr/sbin/puppetd:160
> err: Could not retrieve catalog from remote server: Error 403 on SERVER:
> Forbidden request: 192.168.2.3(192.168.2.3) access to
> /certificate_revocation_list/ca [find] at line 93
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
