Fatal编程技术网
  • apache/
  • Apache Puppet主服务无法识别环境URL

Apache Puppet主服务无法识别环境URL

apache puppet

Apache Puppet主服务无法识别环境URL,apache,passenger,puppet,Apache,Passenger,Puppet,我用乘客和阿帕奇根据地图建立了一个傀儡主人。我还在master上的puppet.conf中设置了“environmentspath”变量,并创建了一个“production”环境目录。我的Puppet代理也将其Puppet.conf“environment”变量设置为“production” 但是,例如,当我运行“puppet agent--test”时,会出现以下错误: Error: Could not request certificate: Find /production/certifi

我用乘客和阿帕奇根据地图建立了一个傀儡主人。我还在master上的puppet.conf中设置了“environmentspath”变量,并创建了一个“production”环境目录。我的Puppet代理也将其Puppet.conf“environment”变量设置为“production”

但是,例如,当我运行“puppet agent--test”时,会出现以下错误:

Error: Could not request certificate: Find /production/certificate/ca?fail_on_404=true resulted in 404 with the message: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /production/certificate/ca was not found on this server.</p>
<hr>
<address>Apache/2.2.15 (CentOS) Server at <server>.<domain> Port 8140</address>
</body></html>

错误:无法请求证书:Find/production/certificate/ca?fail_on_404=true导致404,并显示以下消息:
404找不到
找不到
在此服务器上找不到请求的URL/production/certificate/ca



好几次都没有运气

在此方面的任何帮助都将不胜感激。让我知道,如果有任何额外的信息,我应该提供,以帮助解决这个问题

更新:

这是VHost配置。我对主机名或域进行了匿名引用


# You'll need to adjust the paths in the Passenger config depending on which OS
# you're using, as well as the installed version of Passenger.

# RHEL/CentOS:
LoadModule passenger_module /usr/lib/ruby/gems/1.8/gems/passenger-4.0.50/ext/apache2/mod_passenger.so
PassengerRoot /usr/lib/ruby/gems/1.8/gems/passenger-4.0.50
PassengerRuby /usr/bin/ruby

# And the passenger performance tuning settings:
# Set this to about 1.5 times the number of CPU cores in your master:
PassengerMaxPoolSize 3
# Recycle master processes after they service 1000 requests
PassengerMaxRequests 1000
# Stop processes if they sit idle for 10 minutes
PassengerPoolIdleTime 600

Listen 8140
<VirtualHost *:8140>
    # Make Apache hand off HTTP requests to Puppet earlier, at the cost of
    # interfering with mod_proxy, mod_rewrite, etc. See note below.
    PassengerHighPerformance On

    SSLEngine On

    # Only allow high security cryptography. Alter if needed for compatibility.
    SSLProtocol ALL -SSLv2 -SSLv3
    SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA256-$
    SSLHonorCipherOrder     on

    SSLCertificateFile      /var/lib/puppet/ssl/certs/<server>.<domain>.pem
    SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/<server>.<domain>.pem
    SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCACertificateFile    /var/lib/puppet/ssl/ca/ca_crt.pem
    SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
#   SSLCARevocationCheck        chain
    SSLVerifyClient         optional
    SSLVerifyDepth          1
    SSLOptions              +StdEnvVars +ExportCertData

    # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
        # which effectively disables CRL checking. If you are using Apache 2.4+ you must
    # specify 'SSLCARevocationCheck chain' to actually use the CRL.

    # These request headers are used to pass the client certificate
    # authentication information on to the puppet master process
    RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
    RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e

    DocumentRoot /etc/puppet/rack/puppetmasterd/public

    <Directory /etc/puppet/rack/puppetmasterd/>
      Options None
      AllowOverride None
      # Apply the right behavior depending on Apache version.
      Order allow,deny
      Allow from all
    </Directory>

    LogFormat "%h %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" puppet
    CustomLog /var/log/httpd/puppet.log puppet
    ErrorLog /var/log/httpd/<server>.<domain>.pem_ssl_error.log
    CustomLog /var/log/httpd/<server>.<domain>.pem_ssl_access.log combined
</VirtualHost>



#您需要根据哪个操作系统调整乘客配置中的路径
#您正在使用,以及已安装版本的Passenger。
#RHEL/CentOS:
LoadModule passenger\u module/usr/lib/ruby/gems/1.8/gems/passenger-4.0.50/ext/apache2/mod\u passenger.so
PassengerRoot/usr/lib/ruby/gems/1.8/gems/passer-4.0.50
PassengerRuby/usr/bin/ruby
#以及乘客性能调节设置:
#将此值设置为主机中CPU核心数的1.5倍:
PassengerMapoolSize 3
#在主进程为1000个请求提供服务后回收它们
passengermax1000
#如果进程闲置10分钟,则停止进程
旅客乘机时间600
听着
#让Apache更早地将HTTP请求移交给Puppet,代价是
#干扰mod_代理、mod_重写等。请参见下面的注释。
旅客服务
斯伦金安
#仅允许高安全性加密。如果需要兼容性,则进行更改。
SSLProtocol ALL-SSLv2-SSLv3
SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!阿努尔:!埃努尔:!低:!3DES:!MD5:!经验:!PSK:!决策支持系统:!RC4:!种子:!想法:!ECDSA:kEDH:Camellia 256-$
SSLHonorCipherOrder开启
SSLCertificateFile/var/lib/puppet/ssl/certs/.pem
SSLCertificateKeyFile/var/lib/puppet/ssl/private_keys/.pem
SSLCertificateChainFile/var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile/var/lib/puppet/ssl/ca/ca\u crt.pem
sslcavocationfile/var/lib/puppet/ssl/ca/ca_crl.pem
#SSLCARevocationCheck链
SSLVerifyClient可选
SSLVerifyDepth 1
SSLOptions+StdEnvVars+ExportCertData
#Apache2.4引入了SSLCARevocationCheck指令并将其设置为none
#这有效地禁用了CRL检查。如果您使用的是Apache2.4+,则必须
#指定“SSLCareconcationCheck链”以实际使用CRL。
#这些请求头用于传递客户端证书
#puppet主进程上的身份验证信息
RequestHeader集合X-SSL-Subject%{SSL\u CLIENT\u S\u DN}e
RequestHeader集合X-Client-DN%{SSL\u Client\u S\u DN}e
RequestHeader集合X-Client-Verify%{SSL\u Client\u Verify}e
DocumentRoot/etc/puppet/rack/puppetmasterd/public
选项无
不允许超限
#根据Apache版本应用正确的行为。
命令允许,拒绝
通融
日志格式“%h%l%u%t\%r\”%>s%b%D\“%{Referer}i\\”\“%{User Agent}i\”木偶
CustomLog/var/log/httpd/puppet.log puppet
ErrorLog/var/log/httpd/.pem\u ssl\u error.log
CustomLog/var/log/httpd/.pem\u ssl\u access.log组合

DevOps。。。就在ServerFault和StackOverflow之间的那条漂亮的线…:)

我在CentOS 6.5 Puppet主机上安装Puppet/Apache/Passenger时遇到了同样的问题,该主机同时具有Ubuntu和CentOS Puppet代理服务器

事实证明,我的问题是,SELinux锁定了我的Apache实例,尽管我在/etc/sysconfig/SELinux文件中将其转换为许可模式。由于某些原因,该文件未链接到“real”/etc/selinux/config文件,因此在我重新启动后,它仍处于强制模式,不允许乘客运行以及Puppet Master和Puppet Agent计算机之间需要允许的许多其他必要操作

下面是我如何将它固定在木偶大师身上的:


#Set SELinux into Permissive mode for current session
sudo setenforce permissive

#Set SELinux into Permissive mode for reboots
sudo sed –i ‘s\=enforcing\=permissive\g’ /etc/selinux/config

#REBOOT and Verify Current Mode
sudo getenforce
    Permissive


您的傀儡代理现在应该能够协商连接并执行傀儡主机必须回复的证书签名请求

后来,当Puppet Master审核了所有需要的操作,以便我可以将SELinux恢复到强制模式(即下载清单并在Puppet代理盒上执行包/服务/文件操作)时,我重播了审核日志,并重新打开SELinux,并验证了Puppet代理没有通信问题。您可能不想重播完整的审核日志,但您知道了


#Install Audit2Allow
sudo yum –y install policycoreutils-python

#Build a policy package for allowing passenger/puppet to run
sudo grep httpd /var/log/audit/audit.log | audit2allow -M passenger
sudo semodule -i passenger.pp

#Once done, re-enable SELinux
sudo setenforce 1
sudo sed -i 's\=permissive\=enforcing\g' /etc/selinux/config

#REBOOT and Verify Current Mode
getenforce
    Enforcing


在Puppet代理服务器上:


#Verify Puppet Agents can communicate with no issues.
sudo puppet agent --verbose --no-daemonize --onetime



我认为这应该转移到ServerFault,因为您的问题在于Apache配置。-乘客模块配置不正确。Apache尝试为来自文件系统的请求提供服务,这注定会失败。重新启动时需要Apache错误日志和:8140 vhost的摘录,您认为这些日志应该为您激活和配置Passenger。您所说的“这应该移动到ServerFault”是什么意思?这个问题几乎与主题无关,更适合于,因为它处理的是服务器操作而不是编程。-那么
/usr/lib/ruby/gems/1.8/gems/passenger-4.0.50/ext/apache2/mod_passenger.So
存在吗?当代理签入或在Apache启动时,服务器日志中是否有任何指示?当时可能有一个mod_passenger.so文件(现在只有一个mod_passenger.c文件),但我已经回滚到ve