Puppet API for Unsigned Certs
246 views
Skip to first unread message
Danny Roberts
Jul 22, 2014, 4:20:53 PM7/22/14
to puppet...@googlegroups.com
I'm trying to use the Puppet API in our monitoring to check for and alert on any unsigned certificates that might be waiting in Puppet.
As per http://docs.puppetlabs.com/guides/rest_api.html#certificate-status I should be able to use something like:
curl --cert /var/lib/puppet/ssl/certs/sql2.ourcompany.com.pem --key /var/lib/puppet/ssl/private_keys/sql2.ourcompany.com.pem --cacert /var/lib/puppet/ssl/certs/ca.pem -H 'Accept: pson' https://puppet.ourcompanyhosting.co.uk:8140/production/certificate_statuses/no_key
However that errors:
Forbidden request: sql2.ourcompany.com(xx.xxx.xxx.xx) access to /certificate_status/no_key [search] authenticated at :119
As far as I can see I should only be getting this response if I am not providing the required SSL certs. However as this is not the case I am at a loss.
Any ideas what is causing the issue? If this information can be pruned from PuppetDB instead I'd be happy to use that instead as we already have a PuppetDB instance running (I had a look through the PuppetDB API and could not see anything that did this).
As per http://docs.puppetlabs.com/guides/rest_api.html#certificate-status I should be able to use something like:
curl --cert /var/lib/puppet/ssl/certs/sql2.ourcompany.com.pem --key /var/lib/puppet/ssl/private_keys/sql2.ourcompany.com.pem --cacert /var/lib/puppet/ssl/certs/ca.pem -H 'Accept: pson' https://puppet.ourcompanyhosting.co.uk:8140/production/certificate_statuses/no_key
However that errors:
Forbidden request: sql2.ourcompany.com(xx.xxx.xxx.xx) access to /certificate_status/no_key [search] authenticated at :119
As far as I can see I should only be getting this response if I am not providing the required SSL certs. However as this is not the case I am at a loss.
Any ideas what is causing the issue? If this information can be pruned from PuppetDB instead I'd be happy to use that instead as we already have a PuppetDB instance running (I had a look through the PuppetDB API and could not see anything that did this).
Martin Alfke
Jul 23, 2014, 3:20:26 AM7/23/14
to puppet...@googlegroups.com
Hi Danny,
look into puppet auth.conf
You need to allow the requesting server access to certificate_status.
hth,
Martin
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2253d597-7be6-42c3-bed3-bfd1b3851b36%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
look into puppet auth.conf
You need to allow the requesting server access to certificate_status.
hth,
Martin
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2253d597-7be6-42c3-bed3-bfd1b3851b36%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Danny Roberts
Jul 23, 2014, 2:40:32 PM7/23/14
to puppet...@googlegroups.com
Thanks that certainly sorts out the authentication problem.
Turns out I'm using the wrong API call for what I require though. I'm after the equivalent of running "puppet cert list" and not "puppet cert list --all" like the API call I was trying to do.
I think http://docs.puppetlabs.com/guides/rest_api.html#certificate-request is for this but every time I try the first curl example I get:
Not Acceptable: No supported formats are acceptable (Accept: yaml)
It doesn't matter which format I try they all report this.
I checked the documentation as well at https://github.com/puppetlabs/puppet/blob/master/api/docs/http_certificate_request.md
The "Search" stuff in that doc does not seem to work for me either.
Turns out I'm using the wrong API call for what I require though. I'm after the equivalent of running "puppet cert list" and not "puppet cert list --all" like the API call I was trying to do.
I think http://docs.puppetlabs.com/guides/rest_api.html#certificate-request is for this but every time I try the first curl example I get:
Not Acceptable: No supported formats are acceptable (Accept: yaml)
It doesn't matter which format I try they all report this.
I checked the documentation as well at https://github.com/puppetlabs/puppet/blob/master/api/docs/http_certificate_request.md
The "Search" stuff in that doc does not seem to work for me either.
Andy Parker
Jul 23, 2014, 4:16:57 PM7/23/14
to puppet...@googlegroups.com
On Wed, Jul 23, 2014 at 11:40 AM, Danny Roberts <dannyrober...@googlemail.com> wrote:
Thanks that certainly sorts out the authentication problem.
Turns out I'm using the wrong API call for what I require though. I'm after the equivalent of running "puppet cert list" and not "puppet cert list --all" like the API call I was trying to do.
I think http://docs.puppetlabs.com/guides/rest_api.html#certificate-request is for this but every time I try the first curl example I get:
Not Acceptable: No supported formats are acceptable (Accept: yaml)
It doesn't matter which format I try they all report this.
I checked the documentation as well at https://github.com/puppetlabs/puppet/blob/master/api/docs/http_certificate_request.md
The "Search" stuff in that doc does not seem to work for me either.
You are getting that response because yaml isn't supported for this. You need to specify an Accept of "s" (Accept: s). See https://github.com/puppetlabs/puppet/blob/master/api/docs/http_certificate_request.md#supported-response-formats
On Wednesday, 23 July 2014 08:20:26 UTC+1, Martin Alfke wrote:Hi Danny,
look into puppet auth.conf
You need to allow the requesting server access to certificate_status.
hth,
Martin
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/82817370-63c7-41f2-9b64-5b649fba9032%40googlegroups.com.
Andrew Parker
Freenode: zaphod42
Twitter: @aparker42
Software DeveloperRegister by May 30th to take advantage of the Early Adopter discount —save $349!
Danny Roberts
Jul 23, 2014, 4:40:40 PM7/23/14
to puppet...@googlegroups.com
In which cases I get this error:
# curl -k -H 'Accept: s' https://puppet.mycompanyhosting.co.uk:8140/production/certificate_requests/all
NilClass does not respond to to_multiple_s; can not intern multiple instances to text/plainr
# curl -k -H 'Accept: s' https://puppet.mycompanyhosting.co.uk:8140/production/certificate_requests/all
NilClass does not respond to to_multiple_s; can not intern multiple instances to text/plainr
Reply all
Reply to author
Forward
0 new messages