[Puppet Users] Passenger Problems

[matonb]

I'm having trouble getting puppetmaster to use passenger, it appears to be 
releated SSL selfsigned certificates but I could be barking up the wrong 
tree...
 
Puppet Master is hosted on a CentOS 6.0 32bit machine
# yum list installed | grep puppet
facter.i386                        1:1.6.11-1.el6           
@puppetlabs-products
mcollective.noarch                 2.0.0-1.el6              
@puppetlabs-products
mcollective-common.noarch          2.0.0-1.el6              
@puppetlabs-products
puppet.noarch                      2.7.19-1.el6             
@puppetlabs-products
puppet-server.noarch               2.7.19-1.el6             
@puppetlabs-products
puppetlabs-release.noarch          6-5                      
@/puppetlabs-release-6-5.noarch
# gem query --local
*** LOCAL GEMS ***
abstract (1.0.0)
actionmailer (3.0.15)
actionpack (3.0.15)
activemodel (3.0.15, 3.0.10)
activerecord (3.0.15, 3.0.10)
activeresource (3.0.15)
activesupport (3.0.15, 3.0.10)
acts_as_audited (2.0.0)
ancestry (1.2.5)
arel (2.0.10)
audited (3.0.0.rc1)
audited-activerecord (3.0.0.rc1)
builder (2.1.2)
bundler (1.0.15)
daemon_controller (1.0.0)
erubis (2.6.6)
fastthread (1.0.7)
has_many_polymorphs (3.0.0.beta1)
i18n (0.5.0)
jquery-rails (1.0.19)
json (1.6.6)
mail (2.3.3)
mime-types (1.18)
mysql (2.8.1)
net-ldap (0.3.1)
passenger (3.0.17)
polyglot (0.3.3)
rack (1.2.5)
rack-mount (0.6.14)
rack-test (0.5.7)
rails (3.0.15)
railties (3.0.15)
rake (0.9.2.2)
rdoc (3.12)
rest-client (1.6.7)
ruby2ruby (1.3.1)
ruby_parser (2.3.1)
safemode (1.0.1)
scoped_search (2.3.7)
sexp_processor (3.1.0)
stomp (1.1.8)
thor (0.14.6)
treetop (1.4.10)
tzinfo (0.3.33, 0.3.32)
uuidtools (2.1.1)
will_paginate (3.0.3)
 
/etc/httpd/conf.d/puppetmaster.conf
# you probably want to tune these settings
PassengerHighPerformance on
PassengerMaxPoolSize 12
PassengerPoolIdleTime 1500
# PassengerMaxRequests 1000
PassengerStatThrottleRate 120
RackAutoDetect Off
RailsAutoDetect Off

Listen 8140

<VirtualHost *:8140>
  SSLEngine      on
#  SSLProtocol    -ALL +SSLv3 +TLSv1
#  SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

  SSLCertificateFile      /var/lib/puppet/ssl/certs/puppet.pem
  SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/puppet.pem
  SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
  SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
  # If Apache complains about invalid signatures on the CRL, you can try 
disabling
  # CRL checking by commenting the next line, but this is not recommended.
  SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
  SSLVerifyClient optional
  SSLVerifyDepth  1
  SSLOptions      +StdEnvVars

   # This header needs to be set if using a loadbalancer or proxy
#  RequestHeader unset X-Forwarded-For
  RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
  RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e


  DocumentRoot /etc/puppet/rack/public/
  RackBaseURI /
  <Directory /etc/puppet/rack/>
    Options None
    AllowOverride None
    Order allow,deny
    allow from all
  </Directory>
</VirtualHost>

 

/var/log/http/error_log:


[Fri Aug 31 08:54:40 2012] [notice] caught SIGTERM, shutting down
[Fri Aug 31 08:54:40 2012] [notice] suEXEC mechanism enabled (wrapper: 
/usr/sbin/suexec)
[Fri Aug 31 08:54:40 2012] [warn] Init: Session Cache is not configured 
[hint: SSLSessionCache]
[Fri Aug 31 08:54:40 2012] [notice] Digest: generating secret for digest 
authentication ...
[Fri Aug 31 08:54:40 2012] [notice] Digest: done
[Fri Aug 31 08:54:40 2012] [notice] Apache/2.2.15 (Unix) DAV/2 
mod_ssl/2.2.15 OpenSSL/1.0.0-fips Phusion_Passenger/3.0.17 configured -- 
resuming normal operations


/var/log/messages:


Aug 31 03:59:36 ip-10-226-242-145 puppet-agent[894]: 
(/File[/var/lib/puppet/lib]) Failed to generate additional resources using 
'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server 
certificate B: certificate verify failed: [self signed certificate in 
certificate chain for /CN=Puppet CA: puppet]
Aug 31 03:59:36 ip-10-226-242-145 puppet-agent[894]: 
(/File[/var/lib/puppet/lib]) Could not evaluate: SSL_connect returned=1 
errno=0 state=SSLv3 read server certificate B: certificate verify failed: 
[self signed certificate in certificate chain for /CN=Puppet CA: puppet] 
Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect 
returned=1 errno=0 state=SSLv3 read server certificate B: certificate 
verify failed: [self signed certificate in certificate chain for /CN=Puppet 
CA: puppet]
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Could not retrieve 
catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read 
server certificate B: certificate verify failed: [self signed certificate 
in certificate chain for /CN=Puppet CA: puppet]
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Using cached catalog
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Could not retrieve 
catalog; skipping run
Aug 31 03:59:38 ip-10-226-242-145 puppet-agent[894]: Could not send report: 
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: 
certificate verify failed: [self signed certificate in certificate chain 
for /CN=Puppet CA: puppet]
 
On a client node:

# puppet agent --test --verbose
warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: Error 406 on SERVER:
Exiting; failed to retrieve certificate and waitforcert is disabled
 
Nothing in the apache ssl_error log files
 

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/puppet-users/-/48jy5V3HZyMJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.