Bug #2619
Fresh 0.25.0 client cannot 'authenticate' to 0.25.0 puppetmaster.
| Status: | Closed | Start date: | 09/09/2009 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% |
|
| Category: | SSL | |||
| Target version: | 0.25.1 | |||
| Affected Puppet version: | 0.25.0 | Branch: | ||
| Keywords: | ||||
| Votes: | 0 |
Description
Server: 0.25.0 (standalone webrick) Client: 0.25.0
New client machine (0.25.0) comes up, generates CSR, submits to master, which signs CSR and returns certificate. Subsequent access to /file_metadata/plugins is 403 – forbidden by puppetmaster. If I set auth.conf in the relevant /file sections to ‘auth any’, it works.
It appears that the client machines are not considered to be authenticated by the puppetmaster.
I’ve attached first and second run verbose, debug and trace from the client and puppetmaster.
Also of note:
I have a number of 0.24.8 client machines that were upgraded to 0.25.0 which work as expected. New 0.24.8 client machines can also appropriately bootstrap and authenticate to the very same 0.25.0 server. This appears to be restricted to fresh 0.25.0 clients speaking with a 0.25.0 server.
Related issues
History
Updated by Markus Roberts over 2 years ago
- Category set to SSL
- Status changed from Unreviewed to Accepted
- Target version set to 0.25.1
This may be related to #2617, with a twist: this problem is described as apparently only affecting fresh installs while #2617 is explicitly described as affecting everything but fresh installs.
I have a feeling this may be related to another ticket as well (the file_metadata connection); I’ll update the ticket if I can substantiate the hunch.
Updated by Jason Hansen over 2 years ago
Let me know if you need any additional logs/testing.
Updated by Brice Figureau over 2 years ago
Jason Hansen wrote:
Let me know if you need any additional logs/testing.
Can you describe how you run your puppetmaster (ie webrick, mongrel + apache, or anything else…)?
Basically the error you are seeing is that the master denies access to the plugins because your client is not authenticated (ie the master is not aware this client connection has been authenticated). In 0.25 we introduced an authorization system which installs sane defaults if no auth.conf file are found. It can happen you’re running a setup for which those sane rules are not sane anymore.
Updated by Jason Hansen over 2 years ago
- File auth.conf added
Brice Figureau wrote:
Can you describe how you run your puppetmaster (ie webrick, mongrel + apache, or anything else…)?
Basically the error you are seeing is that the master denies access to the plugins because your client is not authenticated (ie the master is not aware this client connection has been authenticated). In 0.25 we introduced an authorization system which installs sane defaults if no auth.conf file are found. It can happen you’re running a setup for which those sane rules are not sane anymore.
The production server is apache + passenger (2.2.5). I have the same problem while running with webrick, which produced the logs and traces attached to this ticket.
Authentication does seem to be the problem, if I change entries in auth.conf to ‘auth any’ the puppet client is able to proceed further.
I’ve attached the auth.conf file that I’m using (which is very close to the shipped auth.conf example). The only modification was the addition of:
path /file_metadata/plugins allow *
While I was attempting to track down this permissions issue.
Updated by Brice Figureau over 2 years ago
Jason Hansen wrote:
Brice Figureau wrote:
Can you describe how you run your puppetmaster (ie webrick, mongrel + apache, or anything else…)?
Basically the error you are seeing is that the master denies access to the plugins because your client is not authenticated (ie the master is not aware this client connection has been authenticated). In 0.25 we introduced an authorization system which installs sane defaults if no auth.conf file are found. It can happen you’re running a setup for which those sane rules are not sane anymore.
The production server is apache + passenger (2.2.5). I have the same problem while running with webrick, which produced the logs and traces attached to this ticket.
Authentication does seem to be the problem, if I change entries in auth.conf to ‘auth any’ the puppet client is able to proceed further.
I’ve attached the auth.conf file that I’m using (which is very close to the shipped auth.conf example). The only modification was the addition of: […]
While I was attempting to track down this permissions issue.
I could reproduce the issue and it is what I thought: permissions and shipped auth.conf is really fine. It’s just that this specific client fails to authenticate to the server because it lacks the $ssldir/certs/ca.pem file.
To me it’s the exact same issue as #2617, and the exact same one that has been reported to puppet-user several times.
Steps to reproduce:
checkout 0.24.8¶
launch the master once in a fresh env so that it creates its ssldir: ruby bin/puppetmasterd —debug —trace —no-daemonize —confdir /tmp/master —vardir /tmp/master —certname localhost¶
kill it (CTRL-C)¶
checkout 0.25.0¶
relaunch the master in this env: ruby sbin/puppetmasterd —debug —trace —no-daemonize —confdir /tmp/master —vardir /tmp/master —certname localhost¶
open a new term, in the same checkout, launch a client: sbin/puppetd —test —debug —trace —confdir /tmp/client4 —vardir /tmp/client4 —fqdn pouet3.daysofwonder.com —server localhost¶
it sends its CSR¶
sign the CSR and generate the cert: sbin/puppetca —vardir /tmp/master —confdir /tmp/master —sign pouet3.daysofwonder.com¶
relaunch the client: sbin/puppetd —test —debug —trace —confdir /tmp/client4 —vardir /tmp/client4 —fqdn pouet3.daysofwonder.com —server localhost¶
observe it says: “warning: SSL cert won’t be verified…” this means the Http client has not been initialized with a proper client cert.¶
check that there is no ca.pem in /tmp/client4/ssl/certs¶
Now, let’s try to see why this ca.pem file is not there…
Updated by R.I. Pienaar over 2 years ago
Exact same problem here, fresh installs busted but upgraded ones are fine.
Missing ca.pem on the client, if I copy it in by hand it all works fine.
Updated by Markus Roberts over 2 years ago
- Status changed from Accepted to Closed
Closing as a duplicate of 2617.