Thanks for the pointer! That fixed the problem. Kay
> > On 30. Nov 2018, at 16:35, Kay Nettle <[email protected]> wrote: > > > > I updated the puppetserver on a bionic machine to 6.0.2-1bionic and I > > can no longer sign certs. I get this error: > > > > Error: > > code: 403 > > body: Forbidden request: /puppet-ca/v1/certificate_statuses/any_key > > (method :get). Please see the server logs for details. > > With Puppet 6 the certificate management was moved from Puppet agent to > puppet server. > Within Puppetserver the ca management is available via an API call. > When upgrading, you must add your puppetmaster certname to the allow section. > see: https://www.example42.com/2018/10/08/puppet6-ca-upgrading/ > > hth, > Martin > > > > > The logfile says: > > > > 2018-11-30T09:01:59.715-06:00 ERROR [qtp1960551078-72] [p.t.a.rules] > > Forbidden request: hostname(XXX.XX.XXX.XXX) access to > > /puppet-ca/v1/certificate_statuses/any_key (method :get) (authenticated: > > true) denied by rule 'puppetlabs cert status'. > > > > The puppetlabs cert status of the auth.conf is the default: > > > > # Allow the CA CLI to access the certificate_status endpoint > > match-request: { > > path: "/puppet-ca/v1/certificate_status" > > type: path > > method: [get, put] > > } > > allow: { > > extensions: { > > pp_cli_auth: "true" > > } > > } > > sort-order: 500 > > name: "puppetlabs cert status" > > }, > > > > I tried adding ip_host at the beginning of the match-request and that > > didn't help. Anyone have any advice on how to fix the problem? > > > > Thanks, > > Kay > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected]. > > To view this discussion on the web visit > > https://groups.google.com/d/msgid/puppet-users/201811301535.wAUFZ5cr005652%40texas-tea.cs.utexas.edu. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/F901EEB0-467A-42E4-80C9-D9956C9F7C72%40gmail.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/201811301708.wAUH8qH2013142%40texas-tea.cs.utexas.edu. For more options, visit https://groups.google.com/d/optout.
