Puppet Sever 6 upgrade on Enterprise Linux 7.6 issue
39 views
Skip to first unread message
jmp242
Mar 4, 2019, 3:43:25 PM3/4/19
to Puppet Users
I've upgraded from puppetserver 5, and after doing so I've gotten an error trying to clean a certificate.
This worked, for this node, before the updated with puppetserver 5.
I'm not able to find anything by google - any ideas?
Per the "new method", I've tried
puppet node clean fqdnThis worked, for this node, before the updated with puppetserver 5.
However, after the update I now get an error:
puppet node clean fqdn
WARN: Unresolved specs during Gem::Specification.reset: facter (< 4, >= 2.0.1)WARN: Clearing out unresolved specs.Please report a bug if this causes problems.Error: When attempting to revoke certificate 'fqdn', received:Error: code: 403Error: body: Forbidden request: /puppet-ca/v1/certificate_status/fqdn (method :put). Please see the server logs for details.fqdnI'm not able to find anything by google - any ideas?
Justin Stoller
Mar 4, 2019, 4:56:49 PM3/4/19
to puppet...@googlegroups.com
The new ca tool (which is one of the things node clean is calling under the hood) uses the CA's http api in most cases and requires special permissions. By default, the api now only allows access to most certificate endpoints by clients that contain a special cert extension. You can create a cert for "foo" with that extension by running `puppetserver ca generate --ca-client --certname=foo` (note this is one the few commands that requires your server to be offline). If you don't or can't generate a ca client cert you can add an explict certname that you want to be your ca-client to the "allow" blocks in the tk auth.conf.
See: https://puppet.com/docs/puppet/6.3/puppet_server_ca_cli.html for more info.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/dc6b8ba8-32dd-4ec5-90ff-719673c8498f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
jmp242
Mar 5, 2019, 7:49:11 AM3/5/19
to Puppet Users
So, I don't want to regenerate my CA master certificate, i.e. I don't want to manually replace all the CA certificate file on all my clients. If the ca generate is for the puppetserver AGENT certificate, i.e. only used on one computer, I can do that. But the docs aren't clear to me which it's talking about.
Martin Alfke
Mar 5, 2019, 8:04:21 AM3/5/19
to puppet...@googlegroups.com
Maybe our blog can shed some light on this:
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3199dff4-f956-4e80-8f15-9d3a8faccc78%40googlegroups.com.
Justin Stoller
Mar 5, 2019, 11:39:30 AM3/5/19
to puppet...@googlegroups.com
The CA is one cert, the master and agent share another, so you wouldn't need to rekey everything, however you can also just whitelist your master cert in the file described here: https://puppet.com/docs/puppetserver/6.2/config_file_auth.html
However, Martin's blog posts are excellent, you should probably just follow what whatever they say, tbh.
- Justin
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/EFD0AD71-9FA1-4C08-8FFA-F625BD160706%40gmail.com.
Reply all
Reply to author
Forward
0 new messages