Thanks for the feedback! We'll have docs around the upgrade scenario out
shortly. We had instructions around exactly what you did in release notes
<https://puppet.com/docs/puppetserver/5.3/release_notes.html#new-features>
for the 5.5 version where we started shipping the gem, as the best way
forward to switch to using it in an existing install. I think that will
probably continue to be the easiest way to enable the gem moving forward as
well when upgrading.
Using the extension allows us to ship an auth.conf file that works out of
the box for FOSS users doing new installs (we don't know their server
hostnames ahead of time, and using something like localhost can be
insecure). It's also resistant to hostname changes on the CA node.
Please let us know if you have any other issues!
On Wed, Sep 19, 2018 at 4:00 PM Simon Tideswell <stidesw...@gmail.com>
wrote:
> Forgot to mention: this is on Ubuntu 18 (Bionic) using the packages pulled
> from apt.puppetlabs.com. Simon
>
> On Thursday, September 20, 2018 at 8:58:06 AM UTC+10, Simon Tideswell
> wrote:
>>
>> Hello
>>
>> I've upgraded a test server from Puppet 5.5 to Puppet 6 and the upgrade
>> was quite seamless.
>>
>> However post upgrade the puppetserver ca command does not work: it yields
>> 403 denied errors. In auth.conf the new Puppet Server has elements like ...
>> allow: {
>> extensions: {
>> pp_cli_auth: "true"
>> }
>> }
>> There's presumably the requirement to recreate the Puppet Server's own
>> certificate with the additional extensions - but this doesn't appear to be
>> documented anywhere? I've worked around this by using a simpler "allow"
>> stanza including the Puppet Server's own certificate and it works, but it'd
>> be nice if the post-upgrade requirement (of re-minting the certificate) was
>> identified in the documentation. I can't say that recreating the
>> certificate with the extension really seems to offer any obvious advantage
>> over just using the server's own certname to be honest?
>>
>> Simon
>>
>> On Wednesday, September 19, 2018 at 2:33:05 AM UTC+10, Maggie Dreyer
>> wrote:
>>>
>>> Hello!
>>>
>>> As you may know, we are about to release Puppet 6. This release contains *a
>>> major update to the command line tools* that are used to interact with
>>> Puppet's CA and certificates. The update makes the commands much faster and
>>> more reliable, removes duplication, and makes the interface easier to
>>> understand. However, this means that *some scripts and workflows will
>>> have to be updated*.
>>>
>>> *What is getting removed:*
>>> * puppet cert
>>> * puppet ca
>>> * puppet certificate
>>> * puppet certificate_request
>>> *puppet certificate_revocation_list
>>>
>>> *What is new:*
>>> * puppetserver ca <https://github.com/puppetlabs/puppetserver-ca-cli>
>>> (for CA tasks like signing and revoking certs)
>>> * puppet ssl (for agent-side tasks like submitting a CSR and fetching a
>>> cert, though these steps will still usually be taken care of by an agent
>>> run)
>>>
>>> We have been making updates to beaker and various test suites to account
>>> for this change. If you use Beaker to do any CA or certificate interaction
>>> in your tests, you will need to make some updates to test against Puppet 6:
>>> 1) Update to Beaker 4 and beaker-puppet 1. The latest release of both of
>>> these projects contains updates for these CA changes. Details
>>> <https://github.com/puppetlabs/beaker/blob/master/docs/how_to/upgrade_from_3_to_4.md>
>>> .
>>> 2) Update any tests or pre-suites that use one of the removed commands
>>> to use the equivalent new command instead. For details, invoke `puppet
>>> cert` in Puppet 6 for help output containing the mapping of old commands to
>>> new alternatives. We will have docs pages up soon with this info.
>>>
>>> *The most recent Puppet 6 builds on puppet nightlies
>>> <http://nightlies.puppetlabs.com/> have these updates if you would like to
>>> try them out ahead of the release.*
>>>
>>> Please feel free to reach out to us if you have any further questions or
>>> feedback.
>>>
>>> Thanks!
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/79019f37-9496-403d-8d0d-22ea0efa2a23%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/79019f37-9496-403d-8d0d-22ea0efa2a23%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAMstjg3zsVWPFNhoacawMi3_PyBsbdwDPyNB37DnYByDW2_Ndg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
