Kevin, I'm not sure I perfectly understand your setup but I reckon your problem is that ...
Excerpts from linuxbsdfreak's message of Fri Jul 08 14:48:19 +0200 2011: > [...] > Following are the nginx/puppet.conf configs of loadbalancer01 > ---------------------------------------------------------------------------------- > > [main] > logdir = /var/log/puppet > rundir = /var/run/puppet > ssldir = $vardir/ssl > > [agent] > classfile = $vardir/classes.txt > localconfig = $vardir/localconfig > server = loadbalancer01 > listen = true > > [master] > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > ca = false ... SSL_CLIENT_S_DN and SSL_CLIENT_VERIFY don't exist because nginx and puppetmaster don't speak SSL anymore at this point, only plain HTTP. Referring to your nginx configuration below: > --------------- puppetmasterlb.conf ---------- > [...] > proxy_redirect off; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Client-Verify $ssl_client_verify; > proxy_set_header X-Client-DN $ssl_client_s_dn; > proxy_set_header X-SSL-Subject $ssl_client_s_dn; > proxy_set_header X-SSL-Issuer $ssl_client_i_dn; ... you are setting the values the puppetmaster needs in the X-Client-Verify and X-Client-DN HTTP headers. Therefore, you could try changing your puppetmaster settings to read: [master] ssl_client_header = HTTP_X_CLIENT_DN ssl_client_verify_header = HTTP_X_CLIENT_VERIFY > However i get the following error while trying to receive the catalog: > > notice: Ignoring --listen on onetime run > err: Could not retrieve catalog from remote server: Error 403 on > SERVER: Forbidden request: pclient(192.168.122.12) access to / > certificate_revocation_list/ca [find] at line 93 > warning: Not using cache on failed catalog > > - I think this may be related to the auth.conf I would suspect that this error is only a side effect. Your client is not considered authenticated by the master and therefore gets denied access to whatever resource it is asking for. > --- Auth.conf on loadbalancer01 > [...] > # allow all nodes to access the certificates services > path /certificate_revocation_list/ca > method find > allow * > No "auth no" found here, which would explain... Hope this helps ! Cheers, Marc -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
