Ask Your Question
0

API for sign cert 2015.3

asked 2015-12-16 04:34:59 -0500

FranzCC gravatar image

I checked all API docs but didn't find a hint how to sign certs via API.
Since Puppet does provide razor for bare-metal, of course, i want to automate all tasks without interaction.
How to sign certs via API ?

Rgds.

Franz

edit retag flag offensive close merge delete

4 Answers

Sort by ยป oldest newest most voted
1

answered 2015-12-16 11:14:04 -0500

cprice404 gravatar image

updated 2015-12-16 11:15:19 -0500

You can do some signing via the certificate status API:

Does that cover what you need?

edit flag offensive delete link more
1

answered 2015-12-17 14:17:33 -0500

camlow325 gravatar image

updated 2015-12-17 14:20:50 -0500

Rather than modifying the "auth.conf" file directly, it would be better to configure the Puppet Enterprise module's client_whitelist parameter with the set of administrative nodes that you want to add to the rule that it already manages for the certificate_status* endpoints.

Ideally, you should be able to do this in the PE Console by navigating to Nodes -> Classification -> PE Certificate Authority -> Classes, selecting client_whitelist in the "Parameter" dropdown under the puppet_enterprise::profile::certificate_authority class, entering a "Value" to the right of it like ["myadmin"], pressing "Add Parameter", pressing "Commit 1 change", and then having a Puppet agent run occur on your master node. That would modify the built-in "auth.conf" rule to have:

        {
        "allow" : [
            "pe-internal-dashboard",
            "myadmin"
        ],
        "match-request" : {
            "method" : [
                "get",
                "put",
                "delete"
            ],
            "path" : "/puppet-ca/v1/certificate_status",
            "query-params" : {},
            "type" : "path"
        },
        "name" : "puppetlabs certificate status",
        "sort-order" : 500
    }

Unfortunately, however, there is a defect in current PE releases where if you had set a parameter under the certificate_authority class and also set a parameter under the PE Master -> puppet_enterprise::profile::master class, subsequent Puppet agent runs on the master node could encounter this error:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Duplicate declaration: Class[Puppet_enterprise::Profile::Master] is already declared; cannot redeclare on node ...

To avoid this problem, it would be safer at least for now to configure this parameter via a Hiera configuration file that the PE module will reference when it is run. For example, you could put the following in the ".../environments/production/hieradata/common.yaml" file:

 puppet_enterprise::profile::certificate_authority::client_whitelist:
 - 'myadmin'

With this in place, the same modification as above should be made to the "auth.conf" file after the next agent run on the master has occurred.

Another thing to consider, too, is that the ".../puppetserver/conf.d/auth.conf" file does not support the ability to express a node via its IP address, as you had done in your example. Instead, you would need to use the Common Name (CN) from the SSL client certificate of the node that you want to grant access to the certificate_status* endpoints.

edit flag offensive delete link more

Comments

Hi,
sorry for the late anwser, but i was on a well-deserved vacation
. Sorry to say, that your soltution didn't work out
I found one file. which i don't know if it's active.
File: /etc/puppetlabs/puppetdb/certificate-whitelist
I use the dashboard cert which works.
Rgds Franz

FranzCC gravatar imageFranzCC ( 2016-01-14 08:10:20 -0500 )edit
0

answered 2016-11-18 06:30:55 -0500

abasu gravatar image

Add the node ip/fqdn inside the "allow" of puppetlabs certificate status section

$ cat /etc/puppetlabs/puppetserver/conf.d/auth.conf | grep sample-node.com -A 15 -B 3
    {
        "allow" : [
            "pe-internal-dashboard"
            "sample-node.com"
        ],
        "match-request" : {
            "method" : [
                "get",
                "put",
                "delete"
            ],
            "path" : "/puppet-ca/v1/certificate_status",
            "query-params" : {},
            "type" : "path"
        },
        "name" : "puppetlabs certificate status",
        "sort-order" : 500
    }

Restart the pe-puppetserver service

$ puppet resource service pe-puppetserver ensure=stopped
$ puppet resource service pe-puppetserver ensure=running

I hope this solution will help you for REST API automation. Please refer to https://docs.puppet.com/puppet/latest...api/httpcertificate_status.html for API commands.

Regards,

Arunava

(srearu@yahoo.co.in)

edit flag offensive delete link more
0

answered 2015-12-17 01:35:40 -0500

FranzCC gravatar image

Hi, thanks for the response.
I've overseen the chapter for the signing.
Nevertheless, the certificate status api is only available for the dashboard (auth.conf).
I didn't manage to allow a remote request.
Is there a comprehensive guide howto enable certificate status via remote ?
Right now, the request will be denied.
E.g:
Forbidden request: puppetmaster.example.com(192.168.1.1) access to /puppet-ca/v1/certificatestatuses/:anykey (method :get) (authenticated: true) denied by rule 'puppetlabs certificate status'

I have to figure out howto allow this particular request via remote.

Will this setting work ?

   {
        "allow_ip": "192.168.1.2",
        "match-request" : {
           "method" : [
                "get",
                "put",
                "delete"
            ],
            "path" : "/puppet-ca/v1/certificate/",
            "query-params" : {},
            "type" : "path"
        },
        "name" : "puppetlabs certificate remote",
        "sort-order" : 515
    }

Thanks in advance

Franz

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-12-16 04:34:59 -0500

Seen: 401 times

Last updated: Nov 18 '16