Thanks Josh, you hit the nail on the head.
Disabling autosign makes my API calls work as expected. But why does
autosign delete the CSR? The docs don't say anything about this. Can I
disable that feature somehow?
I need autosigning to be enabled for other purposes, and also be able to
invoke API calls as I do right now.
On Sun, Jun 28, 2015 at 11:16 PM, Josh Cooper <j...@puppetlabs.com> wrote:
>
> On Sunday, June 28, 2015 at 10:49:21 AM UTC-7, Mikhail Simin wrote:
>>
>> I'm using Puppet 3.7.3 and I observe this strange behavior when using the
>> API to sign a certificate:
>>
>>
>> ==> /var/log/apache.log <==
>>> Jun 28 17:18:07.000000 prod-puppetca apache: 127.0.0.1
>>> prod-puppetca:8140 - - [28/Jun/2015:17:18:03 +0000] "PUT
>>> /production/certificate_request/prod-clientbox HTTP/1.1" 200 1582 "-"
>>> "python-requests/2.7.0 CPython/2.7.6 Linux/3.13.0-46-generic"
>>>
>>> ==> /var/log/daemon.log <==
>>> Jun 28 17:18:03.000000 prod-puppetca puppet-master[27451]:
>>> prod-clientbox has a waiting certificate request
>>> Jun 28 17:18:07.000000 prod-puppetca puppet-master[27451]: Signed
>>> certificate request for prod-clientbox
>>> Jun 28 17:18:07.000000 prod-puppetca puppet-master[27451]: Removing file
>>> Puppet::SSL::CertificateRequest prod-clientbox at
>>> '/var/lib/puppet/ssl/ca/requests/prod-clientbox.pem'
>>
>>
>> For some reason a single PUT call to `certificate_request/` signs the CSR
>> and then also removes it!
>>
>>
>> Under normal circumstances (when the CSR does not get removed) I have a
>> follow up API call for `certificate_status/` with
>> {"desired_state":"signed"} passed in. However when the CSR is removed, this
>> no longer works because puppet refuses with the following message:
>>
>>
>> Cannot sign for host prod-clientbox without a certificate request
>>
>>
>> Why does the CSR get removed with the same API call that uploads it?
>>
>
> It sounds like you have autosign[1] enabled. Check /etc/puppet/puppet.conf
> or in the script that starts your CA.
>
> Josh
>
> [1]
> https://docs.puppetlabs.com/references/latest/configuration.html#autosign
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Puppet Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/puppet-users/LCAuO4Wo_d8/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/5acc5158-2740-4167-9404-4651ed728bc7%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/5acc5158-2740-4167-9404-4651ed728bc7%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
>
> For more options, visit https://groups.google.com/d/optout.
>
--
Mikhail Simin, Ph.D
*Nextdoor* <http://nextdoor.com/>
The Private Social Network for Neighborhoods
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAL%2B12GcGepk-3qMWO1nL%2B3Fi3nO6u-bd4sFbc650O%3DjMCjqfyQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
