On Mon, Nov 21, 2011 at 11:21 PM, Nick Lewis <n...@puppetlabs.com> wrote:
> On Mon, Nov 21, 2011 at 9:01 PM, Carl Caum <c...@puppetlabs.com> wrote: > > I have a question about using the inventory service's REST API. I have > this code: http://pastie.org/2901445 > > It uses the default OpenSSL::SSL::VERIFY_PEER but the peer certificate > auth fails. I believe it's because I'm not using > > the puppet agent's certificate to connect to the master. How do I do > that? > > > > > > This is relevant auth.conf section: > > > > path /facts > > auth yes > > method find, search > > allow puppetagent.localdomain > > > > > > I get this from the response: > > Forbidden request: localhost.localdomain(127.0.0.1) access to > /facts/search [search] at line 98 > > > > I get this error regardless if I don't auth and allow all in the > auth.conf > > > > It definitely looks like it's not reading the agent's cert, or it > would say authenticated. This is probably because you're using the > default run mode of user, when you mean to be using agent, so you're > getting the default certname, for which you have no cert. If you > implement this as a face, setting run mode is easy. Otherwise, you can > try setting $puppet_application_mode = Puppet::Util::RunMode[:agent] > and see if that works. Alternately, you could set certname and server > in the [user] section of your puppet.conf. > I went ahead made the code in to a face and yes, it's sending the correct certificate now. However, I'm getting a 'Forbidden Request' error: Denying access: Forbidden request: puppetagent.localdomain(127.0.0.1) access to /facts/search [search] authenticated at line 98 Yet, I'm allowing search to everything in /facts. Same error if I do 'path /facts/search' path /facts auth yes method find, search allow puppetagent.localdomain > > - Carl Caum > > (615) 653-0887 > > > > -- > > You received this message because you are subscribed to the Google > Groups "Puppet Developers" group. > > To post to this group, send email to puppet-dev@googlegroups.com. > > To unsubscribe from this group, send email to > puppet-dev+unsubscr...@googlegroups.com. > > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To post to this group, send email to puppet-dev@googlegroups.com. > To unsubscribe from this group, send email to > puppet-dev+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-dev?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to puppet-dev@googlegroups.com. To unsubscribe from this group, send email to puppet-dev+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.