Hello Henri
I suspect you've already had this answered, but I just replaced the
offending stanza ...
*allow: {*
* extensions: {*
* pp_cli_auth: "true"*
* }*
*}*
with
*allow: "the.fqdn.of.my.puppetserver"*
I actually have a number of Puppet servers serving different clients and so
the *auth.conf* is managed by an ERB template and so the above is actually
...
*allow: "<%= @fqdn -%>"*
... in my template file.
Simon
On Fri, Sep 28, 2018 at 2:12 AM <[email protected]> wrote:
> Hi,
>
> @Simon: Could you please describe how you solved that problem?
>
> I already invested hours to at least find the reason for the problem that
> "puppetserver ca list" gives me a 403 Forbidden, but couldn't solve it
> until now.
> And unfortunately this thread is the only document I could find on google
> which refers to "pp_cli_auth".
>
> Simply replacing ...
> allow: {
> extensions: {
> pp_cli_auth: "true"
> }
> }
> by ...
> allow-unauthenticated: true
> ... did not work for me.
>
> That's a real big problem because we can't create new VMs for our
> customers now until it will be documented how to deal with this issue.
>
> Many thanks in advance,
> yours Henri
>
> Am Donnerstag, 20. September 2018 00:58:06 UTC+2 schrieb Simon Tideswell:
>>
>> Hello
>>
>> I've upgraded a test server from Puppet 5.5 to Puppet 6 and the upgrade
>> was quite seamless.
>>
>> However post upgrade the puppetserver ca command does not work: it yields
>> 403 denied errors. In auth.conf the new Puppet Server has elements like ...
>> allow: {
>> extensions: {
>> pp_cli_auth: "true"
>> }
>> }
>> There's presumably the requirement to recreate the Puppet Server's own
>> certificate with the additional extensions - but this doesn't appear to be
>> documented anywhere? I've worked around this by using a simpler "allow"
>> stanza including the Puppet Server's own certificate and it works, but it'd
>> be nice if the post-upgrade requirement (of re-minting the certificate) was
>> identified in the documentation. I can't say that recreating the
>> certificate with the extension really seems to offer any obvious advantage
>> over just using the server's own certname to be honest?
>>
>> Simon
>>
>> On Wednesday, September 19, 2018 at 2:33:05 AM UTC+10, Maggie Dreyer
>> wrote:
>>>
>>> Hello!
>>>
>>> As you may know, we are about to release Puppet 6. This release contains *a
>>> major update to the command line tools* that are used to interact with
>>> Puppet's CA and certificates. The update makes the commands much faster and
>>> more reliable, removes duplication, and makes the interface easier to
>>> understand. However, this means that *some scripts and workflows will
>>> have to be updated*.
>>>
>>> *What is getting removed:*
>>> * puppet cert
>>> * puppet ca
>>> * puppet certificate
>>> * puppet certificate_request
>>> *puppet certificate_revocation_list
>>>
>>> *What is new:*
>>> * puppetserver ca <https://github.com/puppetlabs/puppetserver-ca-cli>
>>> (for CA tasks like signing and revoking certs)
>>> * puppet ssl (for agent-side tasks like submitting a CSR and fetching a
>>> cert, though these steps will still usually be taken care of by an agent
>>> run)
>>>
>>> We have been making updates to beaker and various test suites to account
>>> for this change. If you use Beaker to do any CA or certificate interaction
>>> in your tests, you will need to make some updates to test against Puppet 6:
>>> 1) Update to Beaker 4 and beaker-puppet 1. The latest release of both of
>>> these projects contains updates for these CA changes. Details
>>> <https://github.com/puppetlabs/beaker/blob/master/docs/how_to/upgrade_from_3_to_4.md>
>>> .
>>> 2) Update any tests or pre-suites that use one of the removed commands
>>> to use the equivalent new command instead. For details, invoke `puppet
>>> cert` in Puppet 6 for help output containing the mapping of old commands to
>>> new alternatives. We will have docs pages up soon with this info.
>>>
>>> *The most recent Puppet 6 builds on puppet nightlies
>>> <http://nightlies.puppetlabs.com/> have these updates if you would like to
>>> try them out ahead of the release.*
>>>
>>> Please feel free to reach out to us if you have any further questions or
>>> feedback.
>>>
>>> Thanks!
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/16046491-82af-4321-93cc-c5a32f3385a3%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/16046491-82af-4321-93cc-c5a32f3385a3%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAEei81%3DGnt0UbhMtTYKeT3whL4nidgRw3CJTr%2Bffi8khTPUQQg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
