我根据documentation设置了一个使用Passenger和Apache的Puppet Master。我也有" environmentpath"变量设置在master上的puppet.conf中,我创建了一个" production"环境目录。我的Puppet Agent有它的puppet.conf"环境"变量设置为"生产"同样。
但是,当我运行"木偶代理 - 测试"时,我收到以下错误:
Error: Could not request certificate: Find /production/certificate/ca?fail_on_404=true resulted in 404 with the message: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /production/certificate/ca was not found on this server.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at <server>.<domain> Port 8140</address>
</body></html>
出于本文的目的,我在匿名错误中创建了服务器和域,端口8140只是Puppet使用的标准端口。
我正在运行Phusion Passenger 4.0.50版。有没有人见过这个错误?我确信在Puppet Master安装过程中我错过了一些简单的东西,但是我已经多次通过install docs而没有运气。
对此的任何帮助将不胜感激。如果我有任何其他信息可以帮助解决这个问题,请告诉我。
更新
这是VHost配置。我已匿名提及主机名或域名。
# You'll need to adjust the paths in the Passenger config depending on which OS
# you're using, as well as the installed version of Passenger.
# RHEL/CentOS:
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.50/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.50
PassengerRuby /usr/bin/ruby
# And the passenger performance tuning settings:
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 3
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600
Listen 8140
<VirtualHost *:8140>
# Make Apache hand off HTTP requests to Puppet earlier, at the cost of
# interfering with mod_proxy, mod_rewrite, etc. See note below.
PassengerHighPerformance On
SSLEngine On
# Only allow high security cryptography. Alter if needed for compatibility.
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-$
SSLHonorCipherOrder on
SSLCertificateFile /var/lib/puppet/ssl/certs/<server>.<domain>.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<server>.<domain>.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking. If you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
# These request headers are used to pass the client certificate
# authentication information on to the puppet master process
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /etc/puppet/rack/puppetmasterd/public
<Directory /etc/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
# Apply the right behavior depending on Apache version.
Order allow,deny
Allow from all
</Directory>
LogFormat "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" puppet
CustomLog /var/log/httpd/puppet.log puppet
ErrorLog /var/log/httpd/<server>.<domain>.pem_ssl_error.log
CustomLog /var/log/httpd/<server>.<domain>.pem_ssl_access.log combined
</VirtualHost>
答案 0 :(得分:2)
DevOps... That nice line right between ServerFault and StackOverflow... : )
I had the same issue with an install of Puppet/Apache/Passenger on a CentOS 6.5 Puppet Master with both Ubuntu and CentOS Puppet Agent servers.
Turned out that my issue was that SELinux had locked down my Apache instance even though I had turned it into Permissive mode in the /etc/sysconfig/selinux file. For some reason that file wasn't linked to the "real" /etc/selinux/config file so it stayed in Enforcing mode once I rebooted and didn't allow Passenger to run and many other necessary operations that need to be allowed between the Puppet Master and the Puppet Agent computers.
Here is how I fixed it on the Puppet Master:
#Set SELinux into Permissive mode for current session
sudo setenforce permissive
#Set SELinux into Permissive mode for reboots
sudo sed –i ‘s\=enforcing\=permissive\g’ /etc/selinux/config
#REBOOT and Verify Current Mode
sudo getenforce
Permissive
Your puppet agents should now be able to negotiate a connection and perform the Certificate Signing Request that the Puppet Master will have to reply to.
Later, when the Puppet Master had audited all the operations needed so that I could turn SELinux back into Enforcing mode (i.e. downloading manifests and executing package/service/file operations on the Puppet Agent boxes) I replayed the audit log and turned SELinux back on and verified that the puppet agents had no issues communicating. You might not want to replay the full audit log, but you get the idea.
#Install Audit2Allow
sudo yum –y install policycoreutils-python
#Build a policy package for allowing passenger/puppet to run
sudo grep httpd /var/log/audit/audit.log | audit2allow -M passenger
sudo semodule -i passenger.pp
#Once done, re-enable SELinux
sudo setenforce 1
sudo sed -i 's\=permissive\=enforcing\g' /etc/selinux/config
#REBOOT and Verify Current Mode
getenforce
Enforcing
On the Puppet Agent Server:
#Verify Puppet Agents can communicate with no issues.
sudo puppet agent --verbose --no-daemonize --onetime