Ask Your Question
1

403 Forbidden Request -- Puppet Server

asked 2015-08-27 15:52:59 -0500

nottc gravatar image

I'm having issues expanding a puppet-server deployment beyond ten nodes. Specifically, the issue appears to be authentication related, but I cannot track down what would cause it.

Deployment I have a puppet-server deployment with an external CA. The master certificate is signed by an intermediate certificate and the agent certificates are signed by another intermediate. Both intermediates are signed by the same root. This is the deployment as described in the Puppet documentation. Additionally, I have a running Puppet DB deploy connected to Puppet.

The Problem Before the problem started, I had 10 working nodes. I've had no issues with authentication using the external CA (certificates generated using EJBCA). When I attempted to add three additional nodes, each node has the same kind of errors that suggest authentication problems. These errors are 403 errors when running puppet agent -t.

As an example, when attempting to run puppet, the following happens:

# /opt/puppetlabs/bin/puppet agent -t
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Forbidden request: host01.local.test(XXX.XXX.XXX.XXX) access to /puppet/v3/file_metadata/pluginfacts [search] at :124
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: Error 403 on SERVER: Forbidden request: host01.local.test(XXX.XXX.XXX.XXX) access to /puppet/v3/file_metadata/pluginfacts [find] at :124
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': Error 403 on SERVER: Forbidden request: host01.local.test(XXX.XXX.XXX.XXX) access to /puppet/v3/file_metadata/plugins [search] at :124
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: Error 403 on SERVER: Forbidden request: host01.local.test(XXX.XXX.XXX.XXX) access to /puppet/v3/file_metadata/plugins [find] at :124
Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Evaluation Error: Error while evaluating a Function Call, $concat_basedir not defined. Try running again with pluginsync=true on the [master] and/or [main] section of your node's '/etc/puppet/puppet.conf'. at /etc/puppetlabs/code/environments/production/modules/concat/manifests/setup.pp:19:5 on node host01.local.test
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Error 403 on SERVER: Forbidden request: host01.local.test(XXX.XXX.XXX.XXX) access to /puppet/v3/report/host01.local.test [save] at :124

This happens on only the newest nodes.

When I disable the authentication on the puppet server in /etc/puppetlabs/puppet/auth.conf, the puppet agent -t command completes successfully. So, this suggests that it is tied to the puppet server authentication.

Because existing nodes were able to authenticate and run successfully, I revoked an existing certificate and generated a new certificate for one of the known working nodes. When running puppet agent -t, the run completes successfully ... (more)

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2015-08-28 07:58:53 -0500

nottc gravatar image

This was caused by a careless mistake. The ssl_client_ca_auth configuration directive was pointing to a non-existent file (it was named incorrectly). Once I discovered that, naming it correctly made the puppet runs complete successfully.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-08-27 15:52:59 -0500

Seen: 3,933 times

Last updated: Aug 28 '15