On Thu, 26 Aug 2010 22:34:59 +0200 Brice Figureau <brice-pup...@daysofwonder.com> wrote:
> On 26/08/10 21:55, Dan Urist wrote: > > I'm trying to set up a puppetmaster under unicorn using the ubuntu > > maverick packages (currently at version 2.6.1rc2), and I'm getting > > the following error: > > > > r...@test.puppet.cms.ucar.edu $ puppetd -t > > err: Could not retrieve catalog from remote server: Error 403 on > > SERVER: Forbidden request: > > test.puppet.cms.ucar.edu(128.117.224.193) access > > to /catalog/test.puppet.cms.ucar.edu [find] at line 98 warning: Not > > using cache on failed catalog err: Could not retrieve catalog; > > skipping run > > > > I'm using the standard auth.conf, but if I turn off auth by adding > > this to the top of the file everything works: > > > > path / > > auth no > > allow * > > Of course you understand the security risk if you run with this > auth.conf :) Yes, I just tried this for testing. > > Has anyone seen this, or know of a workaround? > > The usual cause is that the SSL end point didn't propagate to the > master the fact that this node's certificate validates. > > This is usally done by adding some HTTP headers in the request, and > you need to tell puppet what those headers are. > For rack you need to set: > > [puppetmasterd] > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY I have this, but it's under "master" rather than "puppetmasterd". I've tried it under "puppetmasterd" and I'm getting the same failure. > Off course you also need to configure the ssl endpoint to set those > headers when the cerficate is valid (and also when it's invalid). > You didn't mention what was the SLL endpoint in your configuration so > I can't really help for this. I'm using nginx, and I've followed the docs at: http://projects.puppetlabs.com/projects/1/wiki/Using_Unicorn The relevant parts of my nginx config, per the doc, are: > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Client-Verify $ssl_client_verify; > proxy_set_header X-Client-DN $ssl_client_s_dn; > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; > proxy_read_timeout 120; So as far as I can see, those headers are being set. Any hints on debugging this? -- Dan Urist dur...@ucar.edu 303-497-2459 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
