puppet certificate
61 views
Skip to first unread message
Fabrice Bacchella
Apr 5, 2017, 9:59:08 AM4/5/17
to Puppet Users
I'm playing with the "puppet certificate" command.
But when I run "puppet certificate --ca-location remote list"
I see in the log:
10.83.16.17 - - [05/Apr/2017:15:52:46 +0200] "GET /puppet-ca/v1/certificate_statuss/*?environment=production&for=certificate_request HTTP/1.1" 404 9 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 38
certificate_statuss ? Really ?
Because meanwhile, "puppet certificate --ca-location remote sign webtester" generated:
10.83.16.17 - - [05/Apr/2017:15:51:47 +0200] "PUT /puppet-ca/v1/certificate_status/webtester?environment=production& HTTP/1.1" 204 0 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 467
That's better I think.
And "puppet certificate --ca-location remote destroy webtester"
generated
10.83.16.17 - - [05/Apr/2017:15:56:32 +0200] "DELETE /puppet-ca/v1/certificate/webtester?environment=production& HTTP/1.1" 403 112 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 15
I'm surprise similar command talks to different URL. It's not easy to track them in auth.conf.
Fabrice Bacchella
Apr 5, 2017, 11:02:40 AM4/5/17
to puppet...@googlegroups.com
One more problem, since puppet certificate --ca-location remote destroy does nothing, what is the whole point of puppet certificate ? A puppet generate for the same host fails because it already exist, So I can't use it to remotely manage the puppet's PKI. It undermine the whole point of the command.
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1B695C3B-2DE2-464B-A344-A069065D212E%40orange.fr.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1B695C3B-2DE2-464B-A344-A069065D212E%40orange.fr.
> For more options, visit https://groups.google.com/d/optout.
Martin Alfke
Apr 10, 2017, 1:14:10 PM4/10/17
to puppet...@googlegroups.com
Hi Fabrice,
> On 05 Apr 2017, at 17:02, Fabrice Bacchella <fabrice....@orange.fr> wrote:
>
> One more problem, since puppet certificate --ca-location remote destroy does nothing, what is the whole point of puppet certificate ? A puppet generate for the same host fails because it already exist, So I can't use it to remotely manage the puppet's PKI. It undermine the whole point of the command.
Have you tried puppet cert clean <certname> ?
This command is usually used to get rid of old certificates.
>
>
>
>> Le 5 avr. 2017 à 15:58, Fabrice Bacchella <fabrice....@orange.fr> a écrit :
>>
>> I'm playing with the "puppet certificate" command.
>>
>> But when I run "puppet certificate --ca-location remote list"
>>
>> I see in the log:
>>
>> 10.83.16.17 - - [05/Apr/2017:15:52:46 +0200] "GET /puppet-ca/v1/certificate_statuss/*?environment=production&for=certificate_request HTTP/1.1" 404 9 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 38
>>
>> certificate_statuss ? Really ?
>>
>> Because meanwhile, "puppet certificate --ca-location remote sign webtester" generated:
>> 10.83.16.17 - - [05/Apr/2017:15:51:47 +0200] "PUT /puppet-ca/v1/certificate_status/webtester?environment=production& HTTP/1.1" 204 0 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 467
>>
>> That's better I think.
>>
>> And "puppet certificate --ca-location remote destroy webtester"
>>
>> generated
>> 10.83.16.17 - - [05/Apr/2017:15:56:32 +0200] "DELETE /puppet-ca/v1/certificate/webtester?environment=production& HTTP/1.1" 403 112 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 15
>>
>> I'm surprise similar command talks to different URL. It's not easy to track them in auth.conf.
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1B695C3B-2DE2-464B-A344-A069065D212E%40orange.fr.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1C3F185C-1387-4C98-B4F2-6157B73E244B%40orange.fr.
> On 05 Apr 2017, at 17:02, Fabrice Bacchella <fabrice....@orange.fr> wrote:
>
> One more problem, since puppet certificate --ca-location remote destroy does nothing, what is the whole point of puppet certificate ? A puppet generate for the same host fails because it already exist, So I can't use it to remotely manage the puppet's PKI. It undermine the whole point of the command.
This command is usually used to get rid of old certificates.
>
>
>
>> Le 5 avr. 2017 à 15:58, Fabrice Bacchella <fabrice....@orange.fr> a écrit :
>>
>> I'm playing with the "puppet certificate" command.
>>
>> But when I run "puppet certificate --ca-location remote list"
>>
>> I see in the log:
>>
>> 10.83.16.17 - - [05/Apr/2017:15:52:46 +0200] "GET /puppet-ca/v1/certificate_statuss/*?environment=production&for=certificate_request HTTP/1.1" 404 9 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 38
>>
>> certificate_statuss ? Really ?
>>
>> Because meanwhile, "puppet certificate --ca-location remote sign webtester" generated:
>> 10.83.16.17 - - [05/Apr/2017:15:51:47 +0200] "PUT /puppet-ca/v1/certificate_status/webtester?environment=production& HTTP/1.1" 204 0 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 467
>>
>> That's better I think.
>>
>> And "puppet certificate --ca-location remote destroy webtester"
>>
>> generated
>> 10.83.16.17 - - [05/Apr/2017:15:56:32 +0200] "DELETE /puppet-ca/v1/certificate/webtester?environment=production& HTTP/1.1" 403 112 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 15
>>
>> I'm surprise similar command talks to different URL. It's not easy to track them in auth.conf.
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
>> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1B695C3B-2DE2-464B-A344-A069065D212E%40orange.fr.
>> For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
Fabrice Bacchella
Apr 16, 2017, 1:29:03 PM4/16/17
to puppet...@googlegroups.com
> Le 10 avr. 2017 à 19:13, Martin Alfke <tux...@gmail.com> a écrit :
>
> Hi Fabrice,
>
>> On 05 Apr 2017, at 17:02, Fabrice Bacchella <fabrice....@orange.fr> wrote:
>>
>> One more problem, since puppet certificate --ca-location remote destroy does nothing, what is the whole point of puppet certificate ? A puppet generate for the same host fails because it already exist, So I can't use it to remotely manage the puppet's PKI. It undermine the whole point of the command.
>
> Have you tried puppet cert clean <certname> ?
Reply all
Reply to author
Forward
0 new messages