我根据 documentation 设置了带有 Passenger 和 Apache 的 Puppet Master 。我还在主机上的 puppet.conf 中设置了“environmentspath”变量,并创建了一个“生产”环境目录。我的 Puppet Agent 也将其 puppet.conf“环境”变量设置为“生产”。
但是,例如,当我运行“puppet agent --test”时,我收到以下错误:
Error: Could not request certificate: Find /production/certificate/ca?fail_on_404=true resulted in 404 with the message: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /production/certificate/ca was not found on this server.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at <server>.<domain> Port 8140</address>
</body></html>
出于本文的目的,我将上述错误中的服务器和域设为匿名,端口 8140 只是 Puppet 使用的标准端口。
我正在运行 Phusion Passenger 版本 4.0.50。以前有人见过这个错误吗?我确信这是我在 Puppet Master 安装过程中错过的一些简单的事情,但我已经完成了 install docs多次都没有成功。
对此的任何帮助将不胜感激。如果我需要提供任何其他信息来帮助解决此问题,请告诉我。
更新:
这是 VHost 配置。我已对主机名或域进行了匿名引用。
# You'll need to adjust the paths in the Passenger config depending on which OS
# you're using, as well as the installed version of Passenger.
# RHEL/CentOS:
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.50/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.50
PassengerRuby /usr/bin/ruby
# And the passenger performance tuning settings:
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 3
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600
Listen 8140
<VirtualHost *:8140>
# Make Apache hand off HTTP requests to Puppet earlier, at the cost of
# interfering with mod_proxy, mod_rewrite, etc. See note below.
PassengerHighPerformance On
SSLEngine On
# Only allow high security cryptography. Alter if needed for compatibility.
SSLProtocol ALL -SSLv2 -SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-$
SSLHonorCipherOrder on
SSLCertificateFile /var/lib/puppet/ssl/certs/<server>.<domain>.pem
SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/<server>.<domain>.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
# SSLCARevocationCheck chain
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
# Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
# which effectively disables CRL checking. If you are using Apache 2.4+ you must
# specify 'SSLCARevocationCheck chain' to actually use the CRL.
# These request headers are used to pass the client certificate
# authentication information on to the puppet master process
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /etc/puppet/rack/puppetmasterd/public
<Directory /etc/puppet/rack/puppetmasterd/>
Options None
AllowOverride None
# Apply the right behavior depending on Apache version.
Order allow,deny
Allow from all
</Directory>
LogFormat "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" puppet
CustomLog /var/log/httpd/puppet.log puppet
ErrorLog /var/log/httpd/<server>.<domain>.pem_ssl_error.log
CustomLog /var/log/httpd/<server>.<domain>.pem_ssl_access.log combined
</VirtualHost>
最佳答案
DevOps...ServerFault 和 StackOverflow 之间的那条漂亮的线...:)
我在使用 Ubuntu 和 CentOS Puppet Agent 服务器的 CentOS 6.5 Puppet Master 上安装 Puppet/Apache/Passenger 时遇到了同样的问题。
事实证明,我的问题是 SELinux 锁定了我的 Apache 实例即使我已将其转换为宽容模式/etc/sysconfig/selinux 文件。由于某种原因,该文件未链接到“真实”/etc/selinux/config 文件,因此在我重新启动后它仍处于强制模式,并且不允许 Passenger运行以及 Puppet Master 和 Puppet Agent 计算机之间需要允许的许多其他必要操作。
以下是我在 Puppet Master 上修复此问题的方法:
#Set SELinux into Permissive mode for current session
sudo setenforce permissive
#Set SELinux into Permissive mode for reboots
sudo sed –i ‘s\=enforcing\=permissive\g’ /etc/selinux/config
#REBOOT and Verify Current Mode
sudo getenforce
Permissive
您的 puppet 代理现在应该能够协商连接并执行 Puppet Master 必须回复的证书签名请求。
后来,当 Puppet Master 审核了所需的所有操作时,我可以将 SELinux 返回到强制模式(即下载 list 并在 Puppet 代理盒上执行包/服务/文件操作)我重播了审核日志并重新打开 SELinux,并验证了 puppet 代理的通信没有问题。您可能不想重播完整的审核日志,但您明白了。
#Install Audit2Allow
sudo yum –y install policycoreutils-python
#Build a policy package for allowing passenger/puppet to run
sudo grep httpd /var/log/audit/audit.log | audit2allow -M passenger
sudo semodule -i passenger.pp
#Once done, re-enable SELinux
sudo setenforce 1
sudo sed -i 's\=permissive\=enforcing\g' /etc/selinux/config
#REBOOT and Verify Current Mode
getenforce
Enforcing
在 Puppet 代理服务器上:
#Verify Puppet Agents can communicate with no issues.
sudo puppet agent --verbose --no-daemonize --onetime
关于apache - Puppet Master 服务无法识别环境 URL,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25749709/