Ask Your Question

Puppet v4 HOCON style auth.conf : want to use array with wildcard values

asked 2017-04-12 23:31:59 -0600

cm01 gravatar image

updated 2017-04-17 21:41:26 -0600

binford2k gravatar image

Hi Guys,

I'm trying to use a wildcard list of domains to allow CSRs eg

    # Allow nodes to request a new certificate
    match-request: {
        path: "/puppet-ca/v1/certificate_request"
        type: path
        method: [get, put]
    allow: [ "*", "*" ]
    sort-order: 500
    name: "puppetlabs csr"

Ref for array example and the server log file insists that you use double-quotes around "*" based values.

However, when I try this, I still get (client)

Error: Could not request certificate: Error 403 on SERVER: Forbidden request: /puppet-ca/v1/certificate_request/ (method :get). Please see the server logs for details.


2017-04-13 03:20:42,855 ERROR [qtp1106686223-70] [p.t.a.rules] Forbidden request: access to /puppet-ca/v1/certificate_request/ (method :get) (authenticated: false) denied by rule 'puppetlabs csr'.

I've googled a lot, but can't find any examples; surely I'm not the only one who needs this.


New server msg after removing 'get' from auth.conf

2017-04-17 23:31:09,830 ERROR [qtp1816825850-77] [p.t.a.rules] Forbidden request: access to /puppet-ca/v1/certificate_request/ (method :get) (authenticated: false) denied by rule 'puppetlabs deny all'.
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2017-04-17 21:31:26 -0600

binford2k gravatar image

updated 2017-04-17 21:36:23 -0600

The certificate request endpoint is unauthenticated. (authenticated: false). Logically, it cannot yet be authenticated because it doesn't have a certificate to authenticate with!

You need to allow unauthenticated requests to this endpoint.

edit flag offensive delete link more


I've seen that page and 'allow-unauthenticated' is only one of 3 options. The other 2 are 'deny' and 'allow': both of which have the ability to specify what domains etc to eg 'allow'. That's what I need to get correct.

cm01 gravatar imagecm01 ( 2017-04-17 22:26:41 -0600 )edit

I believe "allow" means "allows servers whose name matches x, given that I trust that name" If someone is submitting a cert request, they don't have a cert yet, so Puppet has no way of trusting that they are who they say they are.

dylanratcliffe gravatar imagedylanratcliffe ( 2017-04-18 07:39:36 -0600 )edit

So how do I restrict who can get a Cert? This is the whole point of what I'm trying to do. The puppet docs even say ''allow-unauthenticated'' is insecure, so there must be a way??

cm01 gravatar imagecm01 ( 2017-04-18 17:45:58 -0600 )edit

You would restrict who can get a cert by signing only the certificates you want to sign. Anyone can request a cert but not all will be signed. This endpoint is only for requesting certs, the signing endpoints have much tighter security.

dylanratcliffe gravatar imagedylanratcliffe ( 2017-04-18 22:33:26 -0600 )edit

OK, that makes sense. So, I'd actually use the /etc/puppetlabs/puppet/autosign.conf for this? I'd already assumed it'd need to match anyway, and we have too much going on to sign manually.

cm01 gravatar imagecm01 ( 2017-04-19 00:36:34 -0600 )edit

answered 2017-04-13 02:00:18 -0600

greynolds gravatar image

Hummmm... Remove the method "get" as a test (if you can) Not sure if this is a production server or not? It may be a get request may work by default. It looks like this may be an internal loop issue.

I will need more logs to be sure -> What version of puppet is this? EP2016.4 or EP2017.1 ?

edit flag offensive delete link more


Tried that, just moves refusal down to last 'deny all' rule' (puppetserver.log) . Same err msg on client as above. Server is v2.7.0 (open src).

cm01 gravatar imagecm01 ( 2017-04-17 18:42:59 -0600 )edit

allow: [ "*", "*" ] sort-order: 500 -> ? What is the logic of using 500 as the number of your sort order name: "puppetlabs csr

greynolds gravatar imagegreynolds ( 2017-04-18 04:40:35 -0600 )edit

That's what the file came with - ie default as of install. As per my reply to Dylan, what I need to know right now is how to restrict which machines are allowed to request a cert. There must be a way, surely?

cm01 gravatar imagecm01 ( 2017-04-18 17:53:53 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2017-04-12 23:31:59 -0600

Seen: 161 times

Last updated: Apr 17 '17