Thank you very much Maggie, 1) did the job the right way. Perfect :-)
Yours Henri Am Donnerstag, 27. September 2018 18:19:37 UTC+2 schrieb Maggie Dreyer: > > Here are a few options that should work: > > 1) whitelist the master's certname (which is more secure than > allow-unauthenticated anyway). See the example at the bottom of this > section <https://puppet.com/docs/puppetserver/6.0/subcommands.html#ca> in > the docs. > 2) Another community member also created > https://github.com/smortex/puppet-add-cli-auth-to-certificate yesterday, > which adds the auth extension to your master cert. > > For all of these things, *it's important to remember to restart your > server.* The auth.conf file in particular won't be reloaded until you > restart the server. > > Let me know if you can't get any of this to work. > > On Thu, Sep 27, 2018 at 9:12 AM <[email protected] <javascript:>> wrote: > >> Hi, >> >> @Simon: Could you please describe how you solved that problem? >> >> I already invested hours to at least find the reason for the problem that >> "puppetserver ca list" gives me a 403 Forbidden, but couldn't solve it >> until now. >> And unfortunately this thread is the only document I could find on >> google which refers to "pp_cli_auth". >> >> Simply replacing ... >> allow: { >> extensions: { >> pp_cli_auth: "true" >> } >> } >> by ... >> allow-unauthenticated: true >> ... did not work for me. >> >> That's a real big problem because we can't create new VMs for our >> customers now until it will be documented how to deal with this issue. >> >> Many thanks in advance, >> yours Henri >> >> Am Donnerstag, 20. September 2018 00:58:06 UTC+2 schrieb Simon Tideswell: >>> >>> Hello >>> >>> I've upgraded a test server from Puppet 5.5 to Puppet 6 and the upgrade >>> was quite seamless. >>> >>> However post upgrade the puppetserver ca command does not work: it >>> yields 403 denied errors. In auth.conf the new Puppet Server has elements >>> like ... >>> allow: { >>> extensions: { >>> pp_cli_auth: "true" >>> } >>> } >>> There's presumably the requirement to recreate the Puppet Server's own >>> certificate with the additional extensions - but this doesn't appear to be >>> documented anywhere? I've worked around this by using a simpler "allow" >>> stanza including the Puppet Server's own certificate and it works, but it'd >>> be nice if the post-upgrade requirement (of re-minting the certificate) was >>> identified in the documentation. I can't say that recreating the >>> certificate with the extension really seems to offer any obvious advantage >>> over just using the server's own certname to be honest? >>> >>> Simon >>> >>> On Wednesday, September 19, 2018 at 2:33:05 AM UTC+10, Maggie Dreyer >>> wrote: >>>> >>>> Hello! >>>> >>>> As you may know, we are about to release Puppet 6. This release >>>> contains *a major update to the command line tools* that are used to >>>> interact with Puppet's CA and certificates. The update makes the commands >>>> much faster and more reliable, removes duplication, and makes the >>>> interface >>>> easier to understand. However, this means that *some scripts and >>>> workflows will have to be updated*. >>>> >>>> *What is getting removed:* >>>> * puppet cert >>>> * puppet ca >>>> * puppet certificate >>>> * puppet certificate_request >>>> *puppet certificate_revocation_list >>>> >>>> *What is new:* >>>> * puppetserver ca <https://github.com/puppetlabs/puppetserver-ca-cli> >>>> (for CA tasks like signing and revoking certs) >>>> * puppet ssl (for agent-side tasks like submitting a CSR and fetching a >>>> cert, though these steps will still usually be taken care of by an agent >>>> run) >>>> >>>> We have been making updates to beaker and various test suites to >>>> account for this change. If you use Beaker to do any CA or certificate >>>> interaction in your tests, you will need to make some updates to test >>>> against Puppet 6: >>>> 1) Update to Beaker 4 and beaker-puppet 1. The latest release of both >>>> of these projects contains updates for these CA changes. Details >>>> <https://github.com/puppetlabs/beaker/blob/master/docs/how_to/upgrade_from_3_to_4.md> >>>> . >>>> 2) Update any tests or pre-suites that use one of the removed commands >>>> to use the equivalent new command instead. For details, invoke `puppet >>>> cert` in Puppet 6 for help output containing the mapping of old commands >>>> to >>>> new alternatives. We will have docs pages up soon with this info. >>>> >>>> *The most recent Puppet 6 builds on puppet nightlies >>>> <http://nightlies.puppetlabs.com/> have these updates if you would like to >>>> try them out ahead of the release.* >>>> >>>> Please feel free to reach out to us if you have any further questions >>>> or feedback. >>>> >>>> Thanks! >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/16046491-82af-4321-93cc-c5a32f3385a3%40googlegroups.com >> >> <https://groups.google.com/d/msgid/puppet-users/16046491-82af-4321-93cc-c5a32f3385a3%40googlegroups.com?utm_medium=email&utm_source=footer> >> . >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8b20ec32-f83a-4ea3-ab7f-5342d89dc21f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
