/etc/puppetlabs/puppetserver/conf.d/auth.conf : want to use wildcards in certificate_request section

[chris]

Hi guys,

so I'm trying to restrict requests from known domains eg

  
 { # Allow nodes to request a new certificate match-request: { path: "/puppet-ca/v1/certificate_request" type: path method: [get, put] } allow: [ "*.dev.XXX.com", "*.dev.YYY.com" ] sort-order: 500 name: "puppetlabs csr" },



having read puppet docs on hocon style files, inc arrays, wildcards etc.

However, when I try to use this, I get

Client:
Error: Could not request certificate: Error 403 on SERVER: Forbidden request: /puppet-ca/v1/certificate_request/a.b.com (method :get). Please see the server logs for details.



Server:
2017-04-13 03:20:42,855 ERROR [qtp1106686223-70] [p.t.a.rules] Forbidden request: 10.112.19.76 access to /puppet-ca/v1/certificate_request/a.b.com (method :get) (authenticated: false) denied by rule 'puppetlabs csr'.



Server version is 2.7.0 (puppet v4).

Can anybody help?

Thanks
Chris

[Martin Alfke]

> On 18 Apr 2017, at 08:03, chris <chris...@gmail.com> wrote:
>
> Hi guys,
>
> so I'm trying to restrict requests from known domains eg
>
>
> { # Allow nodes to request a new certificate match-request: { path: "/puppet-ca/v1/certificate_request" type: path method: [get, put] } allow: [ "*.dev.XXX.com", "*.dev.YYY.com" ] sort-order: 500 name: "puppetlabs csr" },
>

Did you restart puppetserver after doing the change?

>
>
> having read puppet docs on hocon style files, inc arrays, wildcards etc.
>
> However, when I try to use this, I get
>
> Client:
> Error: Could not request certificate: Error 403 on SERVER: Forbidden request: /puppet-ca/v1/certificate_request/a.b.com (method :get). Please see the server logs for details.
>
>
>
> Server:
> 2017-04-13 03:20:42,855 ERROR [qtp1106686223-70] [p.t.a.rules] Forbidden request: 10.112.19.76 access to /puppet-ca/v1/certificate_request/a.b.com (method :get) (authenticated: false) denied by rule 'puppetlabs csr'.
>
>
>
> Server version is 2.7.0 (puppet v4).
>
> Can anybody help?
>
> Thanks
> Chris
>
>

> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/384ce816-ea37-45ca-aa8d-83a44f0bc732%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[chris]

On Tuesday, 18 April 2017 17:31:22 UTC+10, Martin Alfke wrote:

> On 18 Apr 2017, at 08:03, chris <chris...@gmail.com> wrote:
>
> Hi guys,
>
> so I'm trying to restrict requests from known domains eg
>
>  
>  { # Allow nodes to request a new certificate match-request: { path: "/puppet-ca/v1/certificate_request" type: path method: [get, put] } allow: [ "*.dev.XXX.com", "*.dev.YYY.com" ] sort-order: 500 name: "puppetlabs csr" },
>
Did you restart puppetserver after doing the change?

Absolutely :)