error signing certs
195 views
Skip to first unread message
Kay Nettle
Nov 30, 2018, 10:35:14 AM11/30/18
to puppet...@googlegroups.com
I updated the puppetserver on a bionic machine to 6.0.2-1bionic and I
can no longer sign certs. I get this error:
Error:
code: 403
body: Forbidden request: /puppet-ca/v1/certificate_statuses/any_key
(method :get). Please see the server logs for details.
The logfile says:
2018-11-30T09:01:59.715-06:00 ERROR [qtp1960551078-72] [p.t.a.rules]
Forbidden request: hostname(XXX.XX.XXX.XXX) access to
/puppet-ca/v1/certificate_statuses/any_key (method :get) (authenticated:
true) denied by rule 'puppetlabs cert status'.
The puppetlabs cert status of the auth.conf is the default:
# Allow the CA CLI to access the certificate_status endpoint
match-request: {
path: "/puppet-ca/v1/certificate_status"
type: path
method: [get, put]
}
allow: {
extensions: {
pp_cli_auth: "true"
}
}
sort-order: 500
name: "puppetlabs cert status"
},
I tried adding ip_host at the beginning of the match-request and that
didn't help. Anyone have any advice on how to fix the problem?
Thanks,
Kay
can no longer sign certs. I get this error:
Error:
code: 403
body: Forbidden request: /puppet-ca/v1/certificate_statuses/any_key
(method :get). Please see the server logs for details.
The logfile says:
2018-11-30T09:01:59.715-06:00 ERROR [qtp1960551078-72] [p.t.a.rules]
Forbidden request: hostname(XXX.XX.XXX.XXX) access to
/puppet-ca/v1/certificate_statuses/any_key (method :get) (authenticated:
true) denied by rule 'puppetlabs cert status'.
The puppetlabs cert status of the auth.conf is the default:
# Allow the CA CLI to access the certificate_status endpoint
match-request: {
path: "/puppet-ca/v1/certificate_status"
type: path
method: [get, put]
}
allow: {
extensions: {
pp_cli_auth: "true"
}
}
sort-order: 500
name: "puppetlabs cert status"
},
I tried adding ip_host at the beginning of the match-request and that
didn't help. Anyone have any advice on how to fix the problem?
Thanks,
Kay
Martin Alfke
Nov 30, 2018, 10:58:11 AM11/30/18
to puppet...@googlegroups.com
> On 30. Nov 2018, at 16:35, Kay Nettle <p...@cs.utexas.edu> wrote:
>
> I updated the puppetserver on a bionic machine to 6.0.2-1bionic and I
> can no longer sign certs. I get this error:
>
> Error:
> code: 403
> body: Forbidden request: /puppet-ca/v1/certificate_statuses/any_key
> (method :get). Please see the server logs for details.
Within Puppetserver the ca management is available via an API call.
When upgrading, you must add your puppetmaster certname to the allow section.
see: https://www.example42.com/2018/10/08/puppet6-ca-upgrading/
hth,
Martin
>
> The logfile says:
>
> 2018-11-30T09:01:59.715-06:00 ERROR [qtp1960551078-72] [p.t.a.rules]
> Forbidden request: hostname(XXX.XX.XXX.XXX) access to
> /puppet-ca/v1/certificate_statuses/any_key (method :get) (authenticated:
> true) denied by rule 'puppetlabs cert status'.
>
> The puppetlabs cert status of the auth.conf is the default:
>
> # Allow the CA CLI to access the certificate_status endpoint
> match-request: {
> path: "/puppet-ca/v1/certificate_status"
> type: path
> method: [get, put]
> }
> allow: {
> extensions: {
> pp_cli_auth: "true"
> }
> }
> sort-order: 500
> name: "puppetlabs cert status"
> },
>
> I tried adding ip_host at the beginning of the match-request and that
> didn't help. Anyone have any advice on how to fix the problem?
>
> Thanks,
> Kay
>
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/201811301535.wAUFZ5cr005652%40texas-tea.cs.utexas.edu.
> For more options, visit https://groups.google.com/d/optout.
Kay Nettle
Nov 30, 2018, 12:09:04 PM11/30/18
to puppet...@googlegroups.com
Thanks for the pointer! That fixed the problem.
Kay
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/F901EEB0-467A-42E4-80C9-D9956C9F7C72%40gmail.com.
Kay
Reply all
Reply to author
Forward
0 new messages