emulate "puppet cert clean" via API...

[Matthew Nicholson]

I'm looking to emulate "puppet cert clean <certname>" via the REST API...

Up until now our puppet CA has lived on the same host as out cobbler installation, letting me have triggers in cobbler to clean certs when we rebuild hosts.  its been VERY handy. 

Now we're splitting the two up, and I'm looking to do the same via the REST API, to avoid some ssh-via-key-hackery.  

I can revoke a cert seemingly fine:

matt at Matthews-iMac in ~

$ curl -k -X PUT -H "Content-Type: text/pson" --data '{"desired_state":"revoked"}' https://provisions:8140/production/certificate_status/<CERTNAME>

null%

(i then check and see that cert as revoked)

But then trying to actually delete the cert (so that the client can regenerate and be autosigned when it does its first run, which we do IN kickstart) fails:

matt at Matthews-iMac in ~

$ curl -k -X DELETE -H "Accept: pson" https://provisions:8140/production/certificate_status/CERTNAME

{"stacktrace":["/usr/lib/ruby/site_ruby/1.8/puppet/network/http/route.rb:72:in `process'","/usr/lib/ruby/site_ruby/1.8/puppet/network/http/handler.rb:63:in `process'","/usr/lib/ruby/site_ruby/1.8/puppet/util/profiler/none.rb:6:in `profile'","/usr/lib/ruby/site_ruby/1.8/puppet/util/profiler.rb:43:in `profile'","/usr/lib/ruby/site_ruby/1.8/puppet/network/http/handler.rb:61:in `process'","/usr/lib/ruby/site_ruby/1.8/puppet/network/http/rack.rb:21:in `call'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/rack/request_handler.rb:96:in `process_request'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_request_handler.rb:513:in `accept_and_process_next_request'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_request_handler.rb:274:in `main_loop'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/rack/application_spawner.rb:205:in `start_request_handler'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/rack/application_spawner.rb:170:in `send'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/rack/application_spawner.rb:170:in `handle_spawn_application'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/utils.rb:479:in `safe_fork'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/rack/application_spawner.rb:165:in `handle_spawn_application'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_server.rb:357:in `__send__'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_server.rb:357:in `server_main_loop'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_server.rb:206:in `start_synchronously'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_server.rb:180:in `start'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/rack/application_spawner.rb:128:in `start'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/spawn_manager.rb:253:in `spawn_rack_application'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_server_collection.rb:132:in `lookup_or_add'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/spawn_manager.rb:246:in `spawn_rack_application'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_server_collection.rb:82:in `synchronize'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_server_collection.rb:79:in `synchronize'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/spawn_manager.rb:244:in `spawn_rack_application'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/spawn_manager.rb:137:in `spawn_application'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/spawn_manager.rb:275:in `handle_spawn_application'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_server.rb:357:in `__send__'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_server.rb:357:in `server_main_loop'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/lib/phusion_passenger/abstract_server.rb:206:in `start_synchronously'","/usr/lib64/ruby/gems/1.8/gems/passenger-3.0.7/helper-scripts/passenger-spawn-server:99"],"issue_kind":"RUNTIME_ERROR","message":"Server Error: undefined method `each' for nil:NilClass"}%

our passenger setup isn't anything exotic...

Anyone have any thoughts/ideas? I'll also take implementation idea for how to do this from a remote system (just one), in other ways...

--
Matthew Nicholson

[Ramin K]

I did it by giving the application that revokes and deletes it's own
cert to use and authorized it. I suspect delete might not be allowed by
default.

I wrote our method up here,
https://ask.puppetlabs.com/question/3347/revoke-and-delete-cert-via-the-rest-api/

Ramin

> --
> You received this message because you are subscribed to the Google
> Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to puppet-users...@googlegroups.com
> <mailto:puppet-users...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/CA%2BnEbkYj4q4K3stdvHO2OaT9MWc1A%2Bg%3DtZ%2BLkkyG6hRMgOFrBQ%40mail.gmail.com
> <https://groups.google.com/d/msgid/puppet-users/CA%2BnEbkYj4q4K3stdvHO2OaT9MWc1A%2Bg%3DtZ%2BLkkyG6hRMgOFrBQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.