Thanks, I wasted about 60 mins before finding this after monkeying about
trying to fix my CA. Trying test upgrade from 4.2.2 to 6.0.1 in a split
environment. Wish me luck. Thanks again!
Mike
On Monday, October 1, 2018 at 10:27:41 PM UTC-5, Simon Tideswell wrote:
>
> Hello Henri
>
> I suspect you've already had this answered, but I just replaced the
> offending stanza ...
> *allow: {*
> * extensions: {*
> * pp_cli_auth: "true"*
> * }*
> *}*
> with
> *allow: "the.fqdn.of.my.puppetserver"*
>
> I actually have a number of Puppet servers serving different clients and
> so the *auth.conf* is managed by an ERB template and so the above is
> actually ...
> *allow: "<%= @fqdn -%>"*
> ... in my template file.
>
> Simon
>
> On Fri, Sep 28, 2018 at 2:12 AM <[email protected] <javascript:>> wrote:
>
>> Hi,
>>
>> @Simon: Could you please describe how you solved that problem?
>>
>> I already invested hours to at least find the reason for the problem that
>> "puppetserver ca list" gives me a 403 Forbidden, but couldn't solve it
>> until now.
>> And unfortunately this thread is the only document I could find on
>> google which refers to "pp_cli_auth".
>>
>> Simply replacing ...
>> allow: {
>> extensions: {
>> pp_cli_auth: "true"
>> }
>> }
>> by ...
>> allow-unauthenticated: true
>> ... did not work for me.
>>
>> That's a real big problem because we can't create new VMs for our
>> customers now until it will be documented how to deal with this issue.
>>
>> Many thanks in advance,
>> yours Henri
>>
>> Am Donnerstag, 20. September 2018 00:58:06 UTC+2 schrieb Simon Tideswell:
>>>
>>> Hello
>>>
>>> I've upgraded a test server from Puppet 5.5 to Puppet 6 and the upgrade
>>> was quite seamless.
>>>
>>> However post upgrade the puppetserver ca command does not work: it
>>> yields 403 denied errors. In auth.conf the new Puppet Server has elements
>>> like ...
>>> allow: {
>>> extensions: {
>>> pp_cli_auth: "true"
>>> }
>>> }
>>> There's presumably the requirement to recreate the Puppet Server's own
>>> certificate with the additional extensions - but this doesn't appear to be
>>> documented anywhere? I've worked around this by using a simpler "allow"
>>> stanza including the Puppet Server's own certificate and it works, but it'd
>>> be nice if the post-upgrade requirement (of re-minting the certificate) was
>>> identified in the documentation. I can't say that recreating the
>>> certificate with the extension really seems to offer any obvious advantage
>>> over just using the server's own certname to be honest?
>>>
>>> Simon
>>>
>>> On Wednesday, September 19, 2018 at 2:33:05 AM UTC+10, Maggie Dreyer
>>> wrote:
>>>>
>>>> Hello!
>>>>
>>>> As you may know, we are about to release Puppet 6. This release
>>>> contains *a major update to the command line tools* that are used to
>>>> interact with Puppet's CA and certificates. The update makes the commands
>>>> much faster and more reliable, removes duplication, and makes the
>>>> interface
>>>> easier to understand. However, this means that *some scripts and
>>>> workflows will have to be updated*.
>>>>
>>>> *What is getting removed:*
>>>> * puppet cert
>>>> * puppet ca
>>>> * puppet certificate
>>>> * puppet certificate_request
>>>> *puppet certificate_revocation_list
>>>>
>>>> *What is new:*
>>>> * puppetserver ca <https://github.com/puppetlabs/puppetserver-ca-cli>
>>>> (for CA tasks like signing and revoking certs)
>>>> * puppet ssl (for agent-side tasks like submitting a CSR and fetching a
>>>> cert, though these steps will still usually be taken care of by an agent
>>>> run)
>>>>
>>>> We have been making updates to beaker and various test suites to
>>>> account for this change. If you use Beaker to do any CA or certificate
>>>> interaction in your tests, you will need to make some updates to test
>>>> against Puppet 6:
>>>> 1) Update to Beaker 4 and beaker-puppet 1. The latest release of both
>>>> of these projects contains updates for these CA changes. Details
>>>> <https://github.com/puppetlabs/beaker/blob/master/docs/how_to/upgrade_from_3_to_4.md>
>>>> .
>>>> 2) Update any tests or pre-suites that use one of the removed commands
>>>> to use the equivalent new command instead. For details, invoke `puppet
>>>> cert` in Puppet 6 for help output containing the mapping of old commands
>>>> to
>>>> new alternatives. We will have docs pages up soon with this info.
>>>>
>>>> *The most recent Puppet 6 builds on puppet nightlies
>>>> <http://nightlies.puppetlabs.com/> have these updates if you would like to
>>>> try them out ahead of the release.*
>>>>
>>>> Please feel free to reach out to us if you have any further questions
>>>> or feedback.
>>>>
>>>> Thanks!
>>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/16046491-82af-4321-93cc-c5a32f3385a3%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/puppet-users/16046491-82af-4321-93cc-c5a32f3385a3%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/ee5bc105-0a4f-41c8-9b97-b2dd2b2c4f35%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
