Here are a few options that should work:
1) whitelist the master's certname (which is more secure than
allow-unauthenticated anyway). See the example at the bottom of this section
<https://puppet.com/docs/puppetserver/6.0/subcommands.html#ca> in the docs.
2) Another community member also created
https://github.com/smortex/puppet-add-cli-auth-to-certificate yesterday,
which adds the auth extension to your master cert.
For all of these things, *it's important to remember to restart your
server.* The auth.conf file in particular won't be reloaded until you
restart the server.
Let me know if you can't get any of this to work.
On Thu, Sep 27, 2018 at 9:12 AM <schomaec...@glamus.de> wrote:
> Hi,
>
> @Simon: Could you please describe how you solved that problem?
>
> I already invested hours to at least find the reason for the problem that
> "puppetserver ca list" gives me a 403 Forbidden, but couldn't solve it
> until now.
> And unfortunately this thread is the only document I could find on google
> which refers to "pp_cli_auth".
>
> Simply replacing ...
> allow: {
> extensions: {
> pp_cli_auth: "true"
> }
> }
> by ...
> allow-unauthenticated: true
> ... did not work for me.
>
> That's a real big problem because we can't create new VMs for our
> customers now until it will be documented how to deal with this issue.
>
> Many thanks in advance,
> yours Henri
>
> Am Donnerstag, 20. September 2018 00:58:06 UTC+2 schrieb Simon Tideswell:
>>
>> Hello
>>
>> I've upgraded a test server from Puppet 5.5 to Puppet 6 and the upgrade
>> was quite seamless.
>>
>> However post upgrade the puppetserver ca command does not work: it yields
>> 403 denied errors. In auth.conf the new Puppet Server has elements like ...
>> allow: {
>> extensions: {
>> pp_cli_auth: "true"
>> }
>> }
>> There's presumably the requirement to recreate the Puppet Server's own
>> certificate with the additional extensions - but this doesn't appear to be
>> documented anywhere? I've worked around this by using a simpler "allow"
>> stanza including the Puppet Server's own certificate and it works, but it'd
>> be nice if the post-upgrade requirement (of re-minting the certificate) was
>> identified in the documentation. I can't say that recreating the
>> certificate with the extension really seems to offer any obvious advantage
>> over just using the server's own certname to be honest?
>>
>> Simon
>>
>> On Wednesday, September 19, 2018 at 2:33:05 AM UTC+10, Maggie Dreyer
>> wrote:
>>>
>>> Hello!
>>>
>>> As you may know, we are about to release Puppet 6. This release contains *a
>>> major update to the command line tools* that are used to interact with
>>> Puppet's CA and certificates. The update makes the commands much faster and
>>> more reliable, removes duplication, and makes the interface easier to
>>> understand. However, this means that *some scripts and workflows will
>>> have to be updated*.
>>>
>>> *What is getting removed:*
>>> * puppet cert
>>> * puppet ca
>>> * puppet certificate
>>> * puppet certificate_request
>>> *puppet certificate_revocation_list
>>>
>>> *What is new:*
>>> * puppetserver ca <https://github.com/puppetlabs/puppetserver-ca-cli>
>>> (for CA tasks like signing and revoking certs)
>>> * puppet ssl (for agent-side tasks like submitting a CSR and fetching a
>>> cert, though these steps will still usually be taken care of by an agent
>>> run)
>>>
>>> We have been making updates to beaker and various test suites to account
>>> for this change. If you use Beaker to do any CA or certificate interaction
>>> in your tests, you will need to make some updates to test against Puppet 6:
>>> 1) Update to Beaker 4 and beaker-puppet 1. The latest release of both of
>>> these projects contains updates for these CA changes. Details
>>> <https://github.com/puppetlabs/beaker/blob/master/docs/how_to/upgrade_from_3_to_4.md>
>>> .
>>> 2) Update any tests or pre-suites that use one of the removed commands
>>> to use the equivalent new command instead. For details, invoke `puppet
>>> cert` in Puppet 6 for help output containing the mapping of old commands to
>>> new alternatives. We will have docs pages up soon with this info.
>>>
>>> *The most recent Puppet 6 builds on puppet nightlies
>>> <http://nightlies.puppetlabs.com/> have these updates if you would like to
>>> try them out ahead of the release.*
>>>
>>> Please feel free to reach out to us if you have any further questions or
>>> feedback.
>>>
>>> Thanks!
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/16046491-82af-4321-93cc-c5a32f3385a3%40googlegroups.com
> <https://groups.google.com/d/msgid/puppet-users/16046491-82af-4321-93cc-c5a32f3385a3%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAMstjg32sTAo1oC374s-0DOmd9ubbPWf0WDPAYwKEqQjMtA2bw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
