Hi again,
I also tried to set allow-unauthenticated: true for rule "puppetlabs cert
status" and that worked.
Now I was able to sign the csr.
And sorry, puppetserver ca list now also works.
Yours Henri
Am Donnerstag, 20. September 2018 00:58:06 UTC+2 schrieb Simon Tideswell:
>
> Hello
>
> I've upgraded a test server from Puppet 5.5 to Puppet 6 and the upgrade
> was quite seamless.
>
> However post upgrade the puppetserver ca command does not work: it yields
> 403 denied errors. In auth.conf the new Puppet Server has elements like ...
> allow: {
> extensions: {
> pp_cli_auth: "true"
> }
> }
> There's presumably the requirement to recreate the Puppet Server's own
> certificate with the additional extensions - but this doesn't appear to be
> documented anywhere? I've worked around this by using a simpler "allow"
> stanza including the Puppet Server's own certificate and it works, but it'd
> be nice if the post-upgrade requirement (of re-minting the certificate) was
> identified in the documentation. I can't say that recreating the
> certificate with the extension really seems to offer any obvious advantage
> over just using the server's own certname to be honest?
>
> Simon
>
> On Wednesday, September 19, 2018 at 2:33:05 AM UTC+10, Maggie Dreyer wrote:
>>
>> Hello!
>>
>> As you may know, we are about to release Puppet 6. This release contains *a
>> major update to the command line tools* that are used to interact with
>> Puppet's CA and certificates. The update makes the commands much faster and
>> more reliable, removes duplication, and makes the interface easier to
>> understand. However, this means that *some scripts and workflows will
>> have to be updated*.
>>
>> *What is getting removed:*
>> * puppet cert
>> * puppet ca
>> * puppet certificate
>> * puppet certificate_request
>> *puppet certificate_revocation_list
>>
>> *What is new:*
>> * puppetserver ca <https://github.com/puppetlabs/puppetserver-ca-cli>
>> (for CA tasks like signing and revoking certs)
>> * puppet ssl (for agent-side tasks like submitting a CSR and fetching a
>> cert, though these steps will still usually be taken care of by an agent
>> run)
>>
>> We have been making updates to beaker and various test suites to account
>> for this change. If you use Beaker to do any CA or certificate interaction
>> in your tests, you will need to make some updates to test against Puppet 6:
>> 1) Update to Beaker 4 and beaker-puppet 1. The latest release of both of
>> these projects contains updates for these CA changes. Details
>> <https://github.com/puppetlabs/beaker/blob/master/docs/how_to/upgrade_from_3_to_4.md>
>> .
>> 2) Update any tests or pre-suites that use one of the removed commands to
>> use the equivalent new command instead. For details, invoke `puppet cert`
>> in Puppet 6 for help output containing the mapping of old commands to new
>> alternatives. We will have docs pages up soon with this info.
>>
>> *The most recent Puppet 6 builds on puppet nightlies
>> <http://nightlies.puppetlabs.com/> have these updates if you would like to
>> try them out ahead of the release.*
>>
>> Please feel free to reach out to us if you have any further questions or
>> feedback.
>>
>> Thanks!
>>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/9c901fae-18fb-4a76-91ad-b6cd35b761ef%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
