revoke / delete node certificate from puppet ca remotely?

1,754 views
Skip to first unread message

Jason McMahan

unread,
Aug 17, 2017, 8:23:10 AM8/17/17
to Puppet Users
Good morning,
We installed a puppet agent on our citrix mgmt servers. 
The problem became that the way it is done a golden image is used, server_dev. Once sealed that spins off multiple other servers for stage and prod environments.

We want to know about the servers, ensure they are in configuration and not drifting between rebuilds and keep reports for a history on them.

The idea was to once they are done stop the service (not disable), delete the ssl directory, then revoke and delete the cert on the puppetca.


Has anyone else attempt to revoke and delete cert remotely from the puppetca?

We are attempting a curl command like 
curl -X DELETE   --tlsv1   --cacert /etc/puppetlabs/puppet/ssl/certs/ca.pem   --cert /etc/puppetlabs/puppet/ssl/certs/server.pem    --key /etc/puppetlabs/puppet/ssl/private_keys/server.pem   -H "Accept: application/json"   -H "Content-Type: application/json"   -d '{"desired_state":"revoked"}'   https://puppetcat:8140/puppet-ca/v1/certificate_status/server?environment=production

But everytime we get forbidden 403 whether running curl command from remote server or even the puppetca itself. 
Attemped to add ip to  /etc/puppetlabs/puppetserver/conf.d/puppetserver.conf as well as /etc/puppetlabs/puppetserver/conf.d/ca.conf but still same error.


Any help or suggestions would be greatly appreciated.
Thank you

Martin Alfke

unread,
Aug 17, 2017, 11:00:42 AM8/17/17
to puppet...@googlegroups.com
You must allow access to puppet ca api via auth.conf

Check the following links:
https://docs.puppet.com/puppet/5.0/config_file_auth.html
https://docs.puppet.com/puppetserver/latest/config_file_auth.html

hth,
Martin

Jason McMahan

unread,
Aug 23, 2017, 2:16:34 PM8/23/17
to Puppet Users
Thank you Martin,
Still running into problems.

I must not be using correct certificate most likely.

Appreciate the response. 

Fabrice Bacchella

unread,
Aug 24, 2017, 3:06:22 AM8/24/17
to puppet...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/11d449ab-9cdc-4eb0-b5bd-d6e570aae211%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Randy Zagar

unread,
Jul 14, 2020, 7:22:40 PM7/14/20
to Puppet Users
Did you ever get this to work?  I used a similar method in an engineering lab where systems regularly got re-imaged and, hence, needed to be able to revoke and clean their own cert on the puppet-ca

Jeffrey Watts

unread,
Jul 15, 2020, 9:03:31 AM7/15/20
to puppet...@googlegroups.com
I use a different scheme for doing this in our environment.  When I reimage physical hardware I use an unattended Kickstart script that does the following:

* Saves an private key to /tmp/puppetkey via a here document (allows me to embed it into the script and SSH wants it as a file)
* Uses SSH with '-i /tmp/puppetkey' to connect to the puppetmaster.  The command passed is the FQDN of the system to be reinstalled.
* On the Puppetmaster, I set up an authorized_keys entry for that key that prepends command="/opt/puppetlabs/bin/puppet node clean $SSH_ORIGINAL_COMMAND".  This restricts SSH to only running that command for connections involving that key.  It will pass the command argument (the FQDN) along as $SSH_ORIGINAL_COMMAND.

Now, this all assumes that you're not on a public network and thus are comfortable using services such as SSH in this fashion.  I haven't tried the curl method.  My only concern is whether or not curl exists in installation images.  SSH almost always does.

Hope this helps someone.  

Jeffrey.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8c9be388-990e-4d02-a376-b1d1dca394c9o%40googlegroups.com.

Justin Stoller

unread,
Jul 15, 2020, 12:49:58 PM7/15/20
to puppet...@googlegroups.com
In Puppet 6 and the latest Puppet 5 releases we shipped a subcommand with Puppet Server `puppetserver ca` and an agent local subcommand `puppet ssl` that can remotely manage the CA or manage an agent's local certificate info respectively. These tools exist in Puppet 5 and and replaces the several competing certificate related cli tools in Puppet 6.

Running `puppetserver ca revoke --certname server` from the Puppet Server should let someone revoke a cert from the CLI in Puppet 6. On a different host that command would return a 403 because the auth system expects the user attempting the request to have a pp_cli_auth extension in their cert. Here's that auth rule: https://github.com/puppetlabs/puppetserver/blob/master/ezbake/config/conf.d/auth.conf#L60-L73

If you wanted a node to be able to manage it's own certificate you might be able to do something more like how we auth catalog access:
That line makes it so only the node whose name matches a segment in the url can access it. Additional docs for that file and what it can do are here: https://github.com/puppetlabs/trapperkeeper-authorization/blob/master/doc/authorization-config.md#rules

hth,
Justin

--
Reply all
Reply to author
Forward
0 new messages