Michael, Thanks for the quick response. I'll take a closer look at the instructions and see if they work in my environment.
I appreciate the thoughtful reply. Cheers, Justin On Monday, June 18, 2012 12:31:28 PM UTC-5, Michael Altfield wrote: > > jbrown, > > Sorry for not posting my solution. I've been working on this install for > weeks, and I *did* overcome this error, but I've had to overcome so many > errors, I can't recall the exact fix. iirc, the solution might have been > installing rubygem-rack through yum as opposed to gems. > > In any case, here's the commands I have come up with to successfully > install Puppet Master & puppet-dashboard on CentOS 6.2. (Note: this is > incomplete: I'm still working on getting the Inventory Service up and > running, and this install procedure still needs some hardening). FWIW: > > # run this on just the Puppet Master, which should be running CentOS 6 > > # Generate Entropy for random-seed from Gold Image for Cert Generation > > wget -O /var/lib/random-seed > http://www.random.org/cgi-bin/randbyte?nbytes=200 > # Configure DNS > > echo "10.10.10.2 dashboard puppet" >> /etc/hosts > > # skip this if DNS is setup properly > echo "10.10.10.3 puppetnode-01 puppetnode-01.mydomain.com" >> /etc/hosts > echo "10.10.10.4 puppetnode-02 puppetnode-02.mydomain.com" >> /etc/hosts > # … > # Add Repository - yum.puppetlabs.com > > cat > /etc/yum.repos.d/puppetlabs.repo <<DELIM > [puppetlabs] > name=puppetlabs > enabled=1 > baseurl=http://yum.puppetlabs.com/el/6/products/x86_64/ > gpgcheck=0 > > DELIM > # Add Repository - EPEL > > rpm -ivh > https://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-7.noarch.rpm > > # Apply Changes to yum > yum -y update > # Install Dependencies - yum > > yum -y install gcc-c++ make httpd httpd-devel mod_ssl puppet ruby-devel > rubygem-rack curl-devel openssl-devel zlib-devel > # Install Dependencies - passenger > > # this next command tends to fail 10% of the time with "ERROR: > http://rubygems.org/ does not appear to be a repository". If this > happens, just try again in a few minutes. The website is probably > experiencing overload. > gem install passenger > passenger-install-apache2-module -a > # Configure Puppet > > # create backup > cp /etc/puppet/puppet.conf /etc/puppet/puppet.conf.`date > "+%Y%m%d%H%M%S"`.orig > > # clobber old puppet.conf > cat > /etc/puppet/puppet.conf << DELIM > [main] > logdir = /var/log/puppet > vardir = /var/lib/puppet > confdir = /etc/puppet > ssldir = /var/lib/puppet/ssl > rundir = /var/run/puppet > factpath = $vardir/lib/facter > templatedir = $confdir/templates > > [master] > certname = 12345 > dns_alt_names = puppet,dashboard,1234,12345 > ssl_client_header = SSL_CLIENT_S_DN > ssl_client_verify_header = SSL_CLIENT_VERIFY > > reports = store, http > reporturl = http://12345:8080/reports/upload > > [agent] > server = dashboard > report = true > > [cert] > autosign = false > > DELIM > > # replace all instances of 12345 in puppet.conf with the FQDN > sed -e s,12345,`hostname`,g -i /etc/puppet/puppet.conf > # Puppet Master config.ru - Create > > mkdir -p /usr/share/puppet/rack/puppetmasterd > mkdir /usr/share/puppet/rack/puppetmasterd/public > mkdir /usr/share/puppet/rack/puppetmasterd/tmp > > cat > /usr/share/puppet/rack/puppetmasterd/config.ru <<DELIM > ARGV << "--rack" > require 'puppet/application/master' > run Puppet::Application[:master].run > #eof > > DELIM > # Puppet Master config.ru - Permissons > > chown puppet /usr/share/puppet/rack/puppetmasterd/config.ru > # Configure puppet-master.conf - Apache vhost > > cat > /etc/httpd/conf.d/puppet-master.conf << DELIM > ## Puppetmaster Apache Vhost Configuration > > # Update the paths of the next 2 lines to match your installed version of > passenger > LoadModule passenger_module > /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13/ext/apache2/mod_passenger.so > PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-3.0.13 > PassengerRuby /usr/bin/ruby > > ## Passenger Limits > PassengerHighPerformance On > PassengerMaxPoolSize 12 > PassengerPoolIdleTime 1500 > PassengerMaxRequests 1000 > PassengerStatThrottleRate 120 > RackAutoDetect Off > RailsAutoDetect Off > > Listen 8140 > > <VirtualHost *:8140> > ServerName puppetmaster-01.mydomain.com > > SSLEngine on > SSLCipherSuite SSLv2:-LOW:-EXPORT:RC4+RSA > > SSLCertificateFile /var/lib/puppet/ssl/certs/12345.pem > SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/12345.pem > SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem > SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem > > ## CRL checking should be enabled; if you have problems with > ## Apache complaining about the CRL, disable the next line > SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem > SSLVerifyClient optional > SSLVerifyDepth 1 > SSLOptions +StdEnvVars > > ## The following client headers allow the same configuration > ## to work with Pound. > RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e > RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e > > RackAutoDetect On > > DocumentRoot /usr/share/puppet/rack/puppetmasterd/public > > <Directory "/usr/share/puppet/rack/puppetmasterd"> > Options None > AllowOverride None > Order allow,deny > allow from all > </Directory> > </VirtualHost> > > DELIM > > # replace all instances of 12345 in puppet-master.conf with the hostname > sed -e s,12345,`hostname`,g -i /etc/httpd/conf.d/puppet-master.conf > # Generate Puppet Master Certificates > > # run this command to generate the puppet master certificates. Once you > see the line: > # "notice: Signed certificate request for puppetmaster-01.mydomain.com > " > # you should press ctrl+c to shutdown the WEBrick-powered puppet master > process > # and proceed with the installation below > > puppet master --verbose --no-daemonize --debug > # Start Puppet Master in Apache > > service httpd start > # Install puppet-dashboard Dependencies > > yum -y install ruby-mysql rubygem-rake mysql mysql-server > # Install puppet-dashboard > > yum -y install puppet-dashboard > # Start mysql server > > service mysqld start > # Set mysql server's root password > > mysqladmin -u root password 'password' > # Create production/development DB > > mysql -u root -p << DELIM > CREATE DATABASE dashboard CHARACTER SET utf8; > CREATE USER 'dashboard'@'localhost' IDENTIFIED BY 'password'; > GRANT ALL PRIVILEGES ON dashboard.* to 'dashboard'@'localhost'; > > DELIM > # Configure puppet-dashboard - database.yml > > cd /usr/share/puppet-dashboard > > # create backup > cp /usr/share/puppet-dashboard/config/database.yml > /usr/share/puppet-dashboard/config/database.yml.`date "+%Y%m%d%H%M%S"`.orig > > # clobber old database.yml > cat > /usr/share/puppet-dashboard/config/database.yml << DELIM > production: > adapter: mysql > database: dashboard > username: dashboard > password: password > encoding: utf8 > > development: > adapter: mysql > database: dashboard > username: dashboard > password: password > encoding: utf8 > > test: > adapter: mysql > database: dashboard_test > username: dashboard_test > password: password > encoding: utf8 > > DELIM > > # create DB tables > rake db:migrate > # Create settings.yml > > # create from example > cp config/settings.yml.example config/settings.yml > > # modify > sed "s^cn_name:.*^cn_name: 'dashboard'^" -i config/settings.yml > #sed "s^ca_crl_path:.*^#ca_crl_path: ''^" -i config/settings.yml > #sed "s^ca_certificate_path:.*^#ca_certificate_path: ''^" -i > config/settings.yml > #sed "s^certificate_path:.*^certificate_path: > 'certs/puppet-dashboard.crt'^" -i config/settings.yml > #sed "s^private_key_path:.*^private_key_path: > 'certs/puppet-dashboard.prv'^" -i config/settings.yml > #sed "s^public_key_path:.*^#public_key_path: ''^" -i config/settings.yml > sed "s^ca_server:.*^ca_server: '`hostname`'^" -i config/settings.yml > # Generate puppet-dashboard Keypair > > # TODO: min permissions > chmod -R 777 /usr/lib/ruby/gems/1.8/gems/rake-* > chmod 755 /usr/lib/ruby/gems/1.8/specifications/*.gemspec > mkdir certs > chown puppet-dashboard certs > > sudo -u puppet-dashboard rake cert:create_key_pair > # Request puppet-dashboard Cert Signature from the Puppet Master > > # set some necessary permissions first > chmod -R 755 /usr/share/puppet > chown -R puppet:puppet-dashboard /usr/lib/ruby/gems/1.8/gems/passenger-* > > rake cert:request > # Sign the puppet`hostname`-dashboard certs > > puppet cert sign dashboard > # Retrieve remaining certificate files > > sudo -u puppet-dashboard rake cert:retrieve > # Update external_node script (see Configuring puppet-dashboard) > > # create backup > cp bin/external_node bin/external_node.`date "+%Y%m%d%H%M%S"`.orig > > # modify > sed 's%^DASHBOARD_URL.*:.*%DASHBOARD_URL = "https://localhost:443"%' -i > bin/external_node > sed 's%^CERT_PATH.*%CERT_PATH = "/var/lib/puppet/ssl/certs/12345.pem"%' -i > bin/external_node > sed 's%^PKEY_PATH.*%PKEY_PATH = > "/var/lib/puppet/ssl/private_keys/12345.pem"%' -i bin/external_node > sed 's%^CA_PATH.*%CA_PATH = "/var/lib/puppet/ssl/certs/ca.pem"%' -i > bin/external_node > > # replace all instances of 12345 with the hostname > sed -e s,12345,`hostname`,g -i bin/external_node > # Disable ssl.conf vhost so that puppet-dashboard is the only *:443 vhost > > # remove the <VritualHost … </VirtualHost> stanza entirely > cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.`date > "+%Y%m%d%H%M%S"`.orig > vim /etc/httpd/conf.d/ssl.conf > # Configure puppet-dashboard.conf - Apache vhost > > cat > /etc/httpd/conf.d/puppet-dashboard.conf << DELIM > ## puppet-dashboard Apache Vhost Configuration > > <VirtualHost *:443> > > SSLEngine On > SSLProtocol -ALL +SSLv3 +TLSv1 > SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP > > SSLCertificateFile /usr/share/puppet-dashboard/certs/dashboard.cert.pem > SSLCertificateKeyFile > /usr/share/puppet-dashboard/certs/dashboard.private_key.pem > SSLCACertificateFile > /usr/share/puppet-dashboard/certs/dashboard.ca_cert.pem > > # If Apache complains about invalid signatures on the CRL, you can try > disabling > # CRL checking by commenting the next line, but this is not recommended > SSLCARevocationFile /usr/share/puppet-dashboard/certs/dashboard.ca_crl.pem > > > SSLVerifyClient optional > SSLVerifyDepth 1 > SSLOptions +StdEnvVars > > RackAutoDetect On > RackBaseURI / > > # If debugging, comment this next line to use the "development" env > SetEnv RAILS_ENV production > > ServerName puppetmaster-01.mydomain.com > DocumentRoot /usr/share/puppet-dashboard/public/ > <Directory /usr/share/puppet-dashboard/public/> > Options None > AllowOverride None > Order allow,deny > Allow from all > </Directory> > > # For report submission from masters. > <Location /reports/upload> > <Limit POST> > # Configuration restricts HTTP actions to POST only > Order allow,deny > Allow from 127.0.0.1 > Allow from all > Satisfy any > </Limit> > </Location> > > # For node definitions from masters. > <Location /nodes> > <Limit GET> > # Configuration restricts HTTP actions to GET only > Order allow,deny > Allow from 127.0.0.1 > Allow from all > Satisfy any > </Limit> > </Location> > > # For web access by humans. > <Location / > > Order allow,deny > Satisfy any > AuthName "Puppet Dashboard" > AuthType Basic > AuthUserFile /usr/share/puppet-dashboard/.htpasswd > Require valid-user > </Location> > > ServerSignature On > > # Logs > ErrorLog /var/log/httpd/puppet-dashboard_error.log > LogLevel warn > CustomLog /var/log/httpd/puppet-dashboard_access.log combined > CustomLog /var/log/httpd/puppet-dashboard_ssl-request.log "%t %h > %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > </VirtualHost> > > # This redundant vhost is a hack that allows the puppet master to submit > reports > # over http (see this thread for more info: > # > https://groups.google.com/forum/?fromgroups#!topic/puppet-users/7EmUtw87-pw/discussion) > # DO NOT USE THIS CONFIGURATION IF YOUR PUPPET MASTER IS NOT ON THE SAME > SERVER > # AS PUPPET-DASHBOARD! If these 2 services are on different machines, you > will > # be sending all your report data unencrypted across the network. > # Also, DON'T FORGET TO CONFIGURE YOUR LOCAL FIREWALL to block all access > to > # port 8080, except from 127.0.0.1 > > Listen 8080 > <VirtualHost *:8080> > > RackAutoDetect On > RackBaseURI / > > # If debugging, comment this next line to use the "development" env > SetEnv RAILS_ENV production > > ServerName puppetmaster-01.mydomain.com > DocumentRoot /usr/share/puppet-dashboard/public/ > <Directory /usr/share/puppet-dashboard/public/> > Options None > AllowOverride None > Order allow,deny > Allow from all > </Directory> > > ServerSignature On > > # Logs > ErrorLog /var/log/httpd/puppet-dashboard-8080.log > LogLevel warn > CustomLog /var/log/httpd/puppet-dashboard-8080.log combined > CustomLog /var/log/httpd/puppet-dashboard-8080-request.log "%t %h > %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" > > </VirtualHost> > > DELIM > # Create .htpasswd file for Basic Apache Auth to puppet-dashboard > > htpasswd -c /usr/share/puppet-dashboard/.htpasswd hosting > # puppet-dashboard config.ru > > # TODO: determine if this is necessary > cp > /usr/share/puppet-dashboard/vendor/rails/railties/dispatches/config.ru/usr/share/puppet-dashboard/ > chown puppet-dashboard:puppet-dashboard /usr/share/puppet-dashboard/ > config.ru > # Optimize - mysql > > # (increase mysql's max_allowed_packet to 32 megabytes) see official > puppet-dashboard install guide > sed 's/\[mysqld_safe\]/max_allowed_packet = 32M\n\n\[mysql_safe\]/' > --in-place=.`date "+%Y%m%d%H%M%S"`.orig /etc/my.cnf > > # apply configuration changes > service mysqld restart > # Configure iptables > > # TODO > iptables -F > # Disable Puppet-related Daemons > > /etc/init.d/puppet stop > /etc/init.d/puppet-dashboard stop > /etc/init.d/httpd stop > # Prevent WEBrick-powered services from starting on boot > > chkconfig puppet off > chkconfig puppet-dashboard off > # Make necessary services start on boot > > chkconfig puppet-dashboard-workers on > chkconfig httpd on > # Restart Apache to start puppet-dashboard > > service httpd restart > # Start the puppet-dashboard-workers process > > service puppet-dashboard-workers start > # Finally, Start the Puppet Master's own Puppet Node process > > service puppet start > > On Monday, June 18, 2012 12:11:38 PM UTC-4, jbrown wrote: >> >> I'm having the same problem, but I never saw a solution in this thread. >> I've been over the permissions for config.ru and /var/lib/puppet about a >> 1000 times and can't see any permissions problems. >> >> -rw-------. 1 puppet puppet 431 Jun 18 00:07 /etc/puppet/rack/config.ru >> (I've also tried 700, 770, 777, and 660. I tried changing ownership to >> apache.apache, puppet.apache, and apache.puppet.) >> >> $~ ll /var/lib/puppet/ >> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 bucket >> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 facts >> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 lib >> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 reports >> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 rrd >> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:21 server_data >> drwxrwx---. 8 puppet puppet 4096 Jun 18 00:09 ssl >> drwxrwx---. 2 puppet puppet 4096 Jun 18 00:09 state >> drwxrwx---. 4 puppet puppet 4096 Jun 18 01:12 yaml >> >> Setenforce is 0. >> >> I even went so far as to use "PassengerUser puppet" and "PaasengerGroup >> puppet" in my vhost, but that didn't help (and has been removed). >> >> Could someone please help me? >> >> Thanks, >> Justin >> >> On Wednesday, May 30, 2012 12:17:59 PM UTC-5, Michael Altfield wrote: >>> >>> Hello Puppet gurus, >>> >>> I'm trying to setup a Puppet environment on CentOS 6. I got it working >>> using WEBrick, but when I finally got Puppet running through Apache using >>> Passenger, my Puppet node gets this "403 Forbidden" response (full output >>> is attached as node.txt): >>> >>> [root@puppetnode-01 ~]# puppetd --waitforcert 30 --server >>>>> puppetmaster.mydomain.com --debug --verbose --test >>>> >>>> ... >>>> >>>> warning: peer certificate won't be verified in this SSL session >>>> >>>> err: Could not request certificate: Error 403 on SERVER: <!DOCTYPE HTML >>>>> PUBLIC "-//IETF//DTD HTML 2.0//EN"> >>>> >>>> <html><head> >>>> >>>> <title>403 Forbidden</title> >>>> >>>> </head><body> >>>> >>>> <h1>Forbidden</h1> >>>> >>>> <p>You don't have permission to access /production/certificate/ca >>>> >>>> on this server.</p> >>>> >>>> <hr> >>>> >>>> <address>Apache/2.2.15 (CentOS) Server at puppetmaster.mydomain.comPort >>>> 8140</address> >>>> >>>> </body></html> >>>> >>>> >>> At the same time, the httpd logs show this: >>> >>> [root@dx-puppetmaster-01 ~]# tail -f /var/log/httpd/* >>>> >>>> ... >>>> >>>> ==> /var/log/httpd/error_log <== >>>> >>>> [Wed May 30 12:46:21 2012] [error] [client 10.230.100.155] >>>>> (13)Permission denied: access to /production/certificate/ca denied >>>> >>>> >>>>> ==> /var/log/httpd/access_log <== >>>> >>>> 10.230.100.155 - - [30/May/2012:12:46:21 -0400] "GET >>>>> /production/certificate/ca? HTTP/1.1" 403 325 "-" "-" >>>> >>>> >>> The steps I used to install Puppet mostly followed the attached >>> install.sh script (with slight modifications). I've also tried to follow >>> this >>> install >>> guide<http://www.tomhayman.co.uk/linux/install-puppet-passenger-centos-6-part/> >>> to >>> no avail. >>> >>> Although I have not modified my /etc/httpd/conf/httpd.conf file, I've >>> attached it for reference. I've also attached >>> /etc/httpd/conf.d/passenger.conf and /usr/share/puppet/rack/puppetmasterd/ >>> config.ru. config.ru's perms are 600 puppet:root. >>> >>> Both of these machines are virtualized using Citrix XenServer. Here's >>> some more info on these boxes: >>> >>> [root@puppetmaster-01 ~]# cat /etc/redhat-release >>> CentOS release 6.2 (Final) >>> >>> [root@puppetmaster-01 ~]# uname -a >>> Linux puppetmaster-01.datalex.com 2.6.32-220.7.1.el6.x86_64 #1 SMP Wed >>> Mar 7 00:52:02 GMT 2012 x86_64 x86_64 x86_64 GNU/Linux >>> >>> Any help will be greatly appreciated! :) >>> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/lFs7oF4dnZMJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
