puppet via apache using passenger from epel

I put together this serious of steps a few years ago long before Passenger made its way into Fedora/EPEL, when it was required putting together write ups from all over the place. Its easier now, but I’ve updated it and am publishing it to my blog because someone had expressed interest, and for my own use.

The goal of this set of steps is to enable the serving of Puppet through Apache using the Passenger module. mod_passenger to ruby what mod_cgi is to perl and mod_wsgi is to python. You would want to use this because Puppetmaster itself does not scale as well to large numbers of puppets. There are other options, but the whole thing is discussed more here.


  • RHEL 6 or clone installed
  • EPEL enabled on server (preferably with epel-release RPM)
  • The knowledge to do the above without my help

Installing a Puppetmaster

  • Install puppet and other packages:
    yum install --enablerepo=epel-testing httpd mod_ssl puppet-server mod_passenger
  • Populate /etc/httpd/conf.d/puppetmaster.conf with the following block. There is a sample ‘apache2.conf’ file that comes with the puppet package, but its never worked for me:
  • Optional
    • Set ServerName value in the VirtualHost block
    • Change the ssl cert file names from ‘puppet.pem’ to match your local environment
    • Set the correct puppet paths for ssl certificates in your environment
  • Create rack directory structure
    mkdir -p /usr/share/puppet/rack/puppetmasterd/{public,tmp}
  • Copy config.ru fromthe puppet source dir
    cp /usr/share/puppet/ext/rack/files/config.ru /usr/share/puppet/rack/puppetmasterd/
  • Set permissions on the previous items
    chown -R puppet: /usr/share/puppet/rack/puppetmasterd/
  • Configure /etc/puppet/puppet.conf to include the following, taking into consideration your local environment:
  • Configuring SSL the lazy way :)
    • Run puppetmasterd to build ssldirectory structure and keys
    • Stop puppetmasterd
      killall -9 puppetmasterd
  • Add firewall rules before the reject and commit rules in your firewall definition:
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 8140 -j ACCEPT
  • Restart firewall
    /etc/init.d/iptables restart
  • Restart apache
    /etc/init.d/httpd restart
  • Verifying that the system is working by browsing to admin page: https://puppetmaster:8140, and if its working you should see:
    The environment must be purely alphanumeric, not ''

Published by


So I'm in my 30s. I'm a career computer geek, but of the skilled and suitably employed variety, not the variety that runs around in one of a fleet of identical vehicles to wage viral warfare. I have spent well over half my life online, and was done with most forms of social networking by the time I hit 23. For those of you that doubt it IRC, forums, and even the good old BBS's of yester-year (which I missed out on since my parents would not let me connect the modem on my commodore 64) are all social networking. We just didn't have such a fancy accepted term for it then. Through out that time I have considered starting a blog on occasion. Not because I'm all that interesting (the level varies year to year), but because I so often end up putting together pieces of technology in a way that I have a hard time finding good online resources for, and its only fair to try and give back. But alas, I tend to be a bit lazy, or busy, and never got around to it. Until now (I hope, and so far have failed). The point of this blog is to be a bit more of a collection of thoughts, helpful hints, or maybe commentary on kewl things. I'll try to leave the details of my harrowing treks down ten inch deep rapids or the details of my last family gathering out of it. For your safety and well-being as much as my own. This blog is my personal blog. The views expressed on these pages are mine alone and not those of my past, present or any future employer.

Leave a Reply