[Puppet Users] Re: API call to certificate_request deletes the request

Sun, 28 Jun 2015 23:17:04 -0700 

On Sunday, June 28, 2015 at 10:49:21 AM UTC-7, Mikhail Simin wrote:
>
> I'm using Puppet 3.7.3 and I observe this strange behavior when using the 
> API to sign a certificate:
>
>
> ==> /var/log/apache.log <==
>> Jun 28 17:18:07.000000 prod-puppetca apache: 127.0.0.1 prod-puppetca:8140 
>> - - [28/Jun/2015:17:18:03 +0000] "PUT 
>> /production/certificate_request/prod-clientbox HTTP/1.1" 200 1582 "-" 
>> "python-requests/2.7.0 CPython/2.7.6 Linux/3.13.0-46-generic"
>>
>> ==> /var/log/daemon.log <==
>> Jun 28 17:18:03.000000 prod-puppetca puppet-master[27451]: prod-clientbox 
>> has a waiting certificate request
>> Jun 28 17:18:07.000000 prod-puppetca puppet-master[27451]: Signed 
>> certificate request for prod-clientbox
>> Jun 28 17:18:07.000000 prod-puppetca puppet-master[27451]: Removing file 
>> Puppet::SSL::CertificateRequest prod-clientbox at 
>> '/var/lib/puppet/ssl/ca/requests/prod-clientbox.pem'
>
>  
> For some reason a single PUT call to `certificate_request/` signs the CSR 
> and then also removes it!
>
>
> Under normal circumstances (when the CSR does not get removed) I have a 
> follow up API call for `certificate_status/` with 
> {"desired_state":"signed"} passed in. However when the CSR is removed, this 
> no longer works because puppet refuses with the following message: 
>
>
> Cannot sign for host prod-clientbox without a certificate request
>
>
> Why does the CSR get removed with the same API call that uploads it?
>

It sounds like you have autosign[1] enabled. Check /etc/puppet/puppet.conf 
or in the script that starts your CA.

Josh

[1] https://docs.puppetlabs.com/references/latest/configuration.html#autosign

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5acc5158-2740-4167-9404-4651ed728bc7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to