How do I generate a certificate to use the REST API ?

[Dan White]

Using Puppet 3.x

I want to tinker with the REST API, but other than basic stuff, all requests are denied.
because there is no certificate between my workstation and the Puppet Master.

How do I do this ?

“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)

[Dan White]

On the puppet master:

puppet cert generate workstation.example.org

Then I copied the following from the puppet master to my workstation:
The public and private keys for my workstation ( workstation-publickey.pem / workstation-privatekey.pem )
The certificate for my workstation  ( workstation-cert.pem )
The public key for the puppet master  ( puppetmaster-publickey.pem )

On my workstation,

curl --insecure -H 'Accept: s' https://puppetmaster.example.org:8140/production/certificate/ca > curl-ca-bundle.crt
cat puppetmaster-publickey.pem  >> curl-ca-bundle.crt

THEN !!

curl --cert workstation-cert.pem  \
--key workstation-cert.pem \
--cacert curl-ca-bundle.crt \
-H "Accept: yaml" https://puppetmaster.example.org:8140/dev/status/devnode001.example.org

WORKED !!

I am going to bundle up everything up to the "-H" into an alias.

“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)

---

From: "Dan White" <yg...@comcast.net>
To: "Puppet Users Mailing List" <puppet...@googlegroups.com>
Sent: Monday, November 18, 2013 8:49:01 AM
Subject: [Puppet Users] How do I generate a certificate to use the REST API ?

[Dan White]

I forgot the finishing touch:

On the puppet master: /etc/puppet/auth,conf

Added the lines:
# allow workstation REST API access
path /
allow workstation.example.org

and restarted the puppet master !

As I get familiar with the API, I would probably want to add some method restrictions.

“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)

---

From: "Dan White" <yg...@comcast.net>

To: puppet...@googlegroups.com
Sent: Monday, November 18, 2013 9:37:25 AM
Subject: Re: [Puppet Users] (ANSWERED IT MYSELF!) How do I generate a certificate to use the REST API ?

[Felix Frank]

Hi,

that would work.

Couldn't you instead have just (from the agent)

1. puppet agent --one-time --certname <certname-here>

to upload a CSR, then on the master

2. sign the cert using puppet ca

and then have the agent download it via another puppet agent call?

Of course, you still need to scrounge the chain together from the
various certs cached by the agent, but it should all be there.

Cheers,
Felix

[Dan White]

There is no agent on my workstation.
That was one of the head-scratchers

Your suggestion looks like it would work if there was an agent.

Thanks for responding

“Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes)

---

From: "Felix Frank" <felix...@alumni.tu-berlin.de>
To: puppet...@googlegroups.com
Sent: Monday, November 18, 2013 9:49:54 AM

Subject: Re: [Puppet Users] (ANSWERED IT MYSELF!) How do I generate a certificate to use the REST API ?

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/528A2912.9060103%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/groups/opt_out.