Ask Your Question
0

Delete a clients certificate with curl no longer working?

asked 2014-05-07 05:09:56 -0500

tmartensson gravatar image

updated 2014-05-12 04:53:45 -0500

When deploying openvz images, we use a init-script to delete puppets ssl directory and then run a curl that deletes the certificate from the puppet server:

curl -k -X DELETE -H "Accept: pson" "https://puppet.example.com:8140/production/certificate_status/client.examle.com"`.

After upgrading to puppet 3.5.1 this stopped working, I have read that I need to revoke the certificate first and that works:

curl -k -X PUT -H "Content-Type: text/pson" --data '{"desired_state":"revoked"}' https://puppet.example.com:8140/production/certificate_status/client.example.com

I have verified that the certificate gets revoked on the server:

[root@puppet ~]# puppet cert list client.example.com
- "client.example.com" (SHA256) A9:FD:2D:C3:E4:7C:84:12:9C:D0:B2:4C:F2:81:AB:A0:BE:9C:A4:40:A7:8E:4A:6A:D8:E0:A4:D7:10:A9:4B:E2 (certificate revoked)

After this, the documentation says that I should run the DELETE command described above but that fails (using | sed for readability):

curl -k -X DELETE -H "Accept: pson" https://puppet.example.com:8140/production/certificate_status/client.example.com | sed 's/,/\n/g'
{"issue_kind":"RUNTIME_ERROR"
"message":"Server Error: undefined method `each' for nil:NilClass"
"stacktrace":["/usr/lib/ruby/site_ruby/1.8/puppet/network/http/route.rb:72:in `process'"
"/usr/lib/ruby/site_ruby/1.8/puppet/network/http/handler.rb:63:in `process'"
"/usr/lib/ruby/site_ruby/1.8/puppet/util/profiler/none.rb:6:in `profile'"
"/usr/lib/ruby/site_ruby/1.8/puppet/util/profiler.rb:43:in `profile'"
"/usr/lib/ruby/site_ruby/1.8/puppet/network/http/handler.rb:61:in `process'"
"/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick/rest.rb:31:in `service'"
"/usr/lib/ruby/1.8/webrick/httpserver.rb:104:in `service'"
"/usr/lib/ruby/1.8/webrick/httpserver.rb:65:in `run'"
"/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:36:in `listen'"
"/usr/lib/ruby/1.8/webrick/server.rb:173:in `call'"
"/usr/lib/ruby/1.8/webrick/server.rb:173:in `start_thread'"
"/usr/lib/ruby/1.8/webrick/server.rb:162:in `start'"
"/usr/lib/ruby/1.8/webrick/server.rb:162:in `start_thread'"
"/usr/lib/ruby/1.8/webrick/server.rb:95:in `start'"
"/usr/lib/ruby/1.8/webrick/server.rb:92:in `each'"
"/usr/lib/ruby/1.8/webrick/server.rb:92:in `start'"
"/usr/lib/ruby/1.8/webrick/server.rb:23:in `start'"
"/usr/lib/ruby/1.8/webrick/server.rb:82:in `start'"
"/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:30:in `listen'"
"/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:29:in `initialize'"
"/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:29:in `new'"
"/usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:29:in `listen'"
"/usr/lib/ruby/site_ruby/1.8/puppet/network/server.rb:27:in `start'"
"/usr/lib/ruby/site_ruby/1.8/puppet/daemon.rb:139:in `start'"
"/usr ...
(more)
edit retag flag offensive close merge delete

Comments

Hmm, you could try and run the master with --trace, see if that yields another backtrace, because I disbelieve that the trace from the agent side can help getting to the bottom of this one.

ffrank gravatar imageffrank ( 2014-05-08 05:27:27 -0500 )edit

Running the master with 'puppet master --trace --no-daemonize --debug --verbose' did not produce any more output than in the example above.

tmartensson gravatar imagetmartensson ( 2014-05-08 14:06:52 -0500 )edit

You may wish to raise this as a bug then.

ffrank gravatar imageffrank ( 2014-05-13 06:32:34 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2014-05-15 00:16:42 -0500

tmartensson gravatar image

updated 2014-05-27 05:37:42 -0500


Update: This has been fixed in version 3.6.1.


Adding DELETE in, as suggested by Paul Beltrani in issue PUP-2516, /usr/lib/ruby/site_ruby/1.8/puppet/network/http/route.rb (CentOS 6) solved the issue for me.

@@ -16,7 +16,8 @@
       :HEAD => [MethodNotAllowedHandler],
       :OPTIONS => [MethodNotAllowedHandler],
       :POST => [MethodNotAllowedHandler],
-      :PUT => [MethodNotAllowedHandler]
+      :PUT => [MethodNotAllowedHandler],
+      :DELETE => [MethodNotAllowedHandler]
     }
     @chained = []
   end

Now I can delete the certificate on the puppet master from the client using curl:

[root@client ~]# curl -k -X DELETE -H "Accept: pson" https://puppet.example.com:8140/production/certificate_status/client.example.com
"Deleted for client.example.com: Puppet::SSL::Certificate"
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-05-07 05:09:56 -0500

Seen: 1,053 times

Last updated: May 27 '14