[Puppet] Can't manage Puppet Certificates on the PuppetCA (404 error)

[damien...@gmail.com]

Hello,

I have just finished installing a Puppet / Foreman / PuppetDB stack. Here is the details :

OS : Centos 8.2

Puppetserver version : 6.12.1

PuppetDB version : 6.11.2

Puppet agent version : 6.17.0

Foreman version : 2.1

I have the PuppetCA and Foreman on one host, the Puppetmaster on a second one and the PuppetDB on a third one. I used Foreman-installer to install everything except the PuppetDB.

It took me quite some time but it seems to be working fine except for one thing, I can't manage the nodes certificates because the following command gives me a 404 error (I run it on the PuppetCA/Foreman host) :

> puppetserver ca list --all

Error:

    code: 404

    body: {

"message":"Not Found",

"url":"/puppet-ca/v1/certificate_statuses/any_key",

"status":"404"

}

No certificates to list

I did set up the autosign with my servers domain name, so the new nodes get their certificate request correctly signed, they get their catalogs, I see them in Foreman etc...

> ls -l  /etc/puppetlabs/puppet/ssl/ca/signed/

total 44

drwxr-x---. 2 puppet puppet 4096 Aug 24 18:01 .

drwxr-x---. 4 puppet puppet  232 Aug 24 18:35 ..

-rw-r--r--. 1 puppet puppet 1960 Aug 24 18:01 host1.domain.local.pem

-rw-r--r--. 1 puppet puppet 1968 Aug 24 16:45 host2.domain.local.pem

-rw-r--r--. 1 puppet puppet 1968 Aug 23 11:39 host3.domain.local.pem

-rw-r--r--. 1 puppet puppet 1968 Aug 23 11:42 host4.domain.local.pem

But I need to revoke and renew some of these certificates so for the moment, I am blocked.

I don't know where to look, any help would be appreciated ^^

Thanks

[Martin Alfke]

Hi,

Usually you can do the cert management via Foreman web interface.

If CLI is not working, please check that your Puppet 6 Master has a cert extension.

If this is missing you can check our blog posting:

https://blog.example42.com/2018/10/08/puppet6-ca-upgrading/

Best,

Martin

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/68084f23-4154-45c1-b808-c67249ad1770n%40googlegroups.com.

[Damien Ellul]

Actually,  I was missing the "ca_server" parameter in the "main" section of the machine that hosts Foreman and the PuppetCA. I used the hostname of the server for the value and the "puppetserver ca" command worked.

I didn't know that certs could be managed via the Foreman web interface, do you know if there is something about this in the Foreman documentation ?

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/C18CBE52-D96A-45F9-BF6D-46756A89A90E%40gmail.com.

[Mattias Giese]

Heya,

On 26/08/20 09:40:33, Damien Ellul wrote:
> Actually, I was missing the "ca_server" parameter in the "main" section of
> the machine that hosts Foreman and the PuppetCA. I used the hostname of the
> server for the value and the "puppetserver ca" command worked.
>
> I didn't know that certs could be managed via the Foreman web interface, do
> you know if there is something about this in the Foreman documentation ?

https://www.theforeman.org/manuals/2.1/index.html#4.3.7PuppetCA

Regards,

Mattias

--
Mattias Giese
Linux Consultant und Trainer
Mail: gi...@b1-systems.de

B1 Systems GmbH
Osterfeldstraße 7 / 85088 Vohburg / http://www.b1-systems.de
GF: Ralph Dehner / Unternehmenssitz: Vohburg / AG: Ingolstadt, HRB 3537

[Damien Ellul]

Thank you =)

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20200826181437.z6bnpaezdrmk5qop%40gintonic.