Hi Maggie - thanks for the reply.
When I run the new command this is what we get :
# puppetserver ca clean --certname andy-puppet6-test.london.company.com
Error:
When attempting to revoke certificate
'andy-puppet6-test.london.company.com', received:
code: 403
body: Forbidden request:
/puppet-ca/v1/certificate_status/andy-puppet6-test.london.company.com
(method :put). Please see the server logs for details.
And here are the server logs :
==> /var/log/puppetlabs/puppetserver/puppetserver.log <==
2018-10-01T17:48:10.393+01:00 ERROR [qtp1126042654-72] [p.t.a.rules]
Forbidden request: ldn1-puppet5.london.company.com(10.2.69.190) access to
/puppet-ca/v1/certificate_status/andy-puppet6-test.london.company.com
(method :put) (authenticated: true) denied by rule 'puppetlabs cert status'.
==> /var/log/puppetlabs/puppetserver/puppetserver-access.log <==
10.2.69.190 - - [01/Oct/2018:17:48:10 +0100] "PUT
/puppet-ca/v1/certificate_status/andy-puppet6-test.london.company.com
HTTP/1.1" 403 145 "-" "PuppetserverCaCli" 6
Any thoughts on why the perms seem broke for this ?
Big fan of puppet and we really want to migrate away from 3.x so hopefully
we can get this working !
Thanks, Andy.
On Friday, 28 September 2018 19:38:11 UTC+1, Maggie Dreyer wrote:
>
> Hello!
>
> For cleaning the cert on the master, are you trying to use `puppet cert
> clean`? This error message needs to be updated to instead say "On the
> master: use `puppetserver ca clean --certname <agent-cert-name>`". The
> `puppet cert` command was removed in 6.0.0, see
> https://puppet.com/docs/puppet/6.0/release_notes.html#puppet-600 and
> https://puppet.com/docs/puppetserver/6.0/subcommands.html#ca. But due to
> https://tickets.puppetlabs.com/browse/PUP-9155, it doesn't always
> correctly report its failure. Starting in 6.0.1, `puppet cert` will always
> error helpfully information about the new alternative commands. Please let
> me know if you are still having issues after trying `puppetserver ca clean`.
>
> And regardless of whether this fixes your issue, we really appreciate your
> letting us know when our errors and/or docs are less than helpful. Thanks!
> Maggie
>
> On Fri, Sep 28, 2018 at 11:05 AM Andy Hall <andyjo...@gmail.com
> <javascript:>> wrote:
>
>> Just deployed a new puppet 6.0 client / server setup and getting the
>> classic CSR signing issue (see details below). Please help clarify my
>> understanding so I can troubleshoot this (I'm sure there's a quick fix for
>> this) :
>>
>> N.B. The usual "remove the SSL dir on the client and clean the cert on
>> the server" is NOT working.
>>
>> So I think this is what happens :
>>
>> 1. The agent creates an SSL cert and sends if to the master to be signed
>> - a Certificate Signing Request (CSR).
>>
>> 2. The master signs the cert with its own CA and the key of the agent.
>>
>> 3. The signed cert is returned to the agent which compares the keys to
>> ensure they match.
>>
>> It would seem that somehow the key being returned is mangled and doesn't
>> match so is rejected by the agent.
>>
>> This happens from the very first attempt to join an agent to the master
>> and I am at a loss of how to fix this.
>>
>> Here's is the request from the agent to the master :
>>
>> ==> /var/log/puppetlabs/puppetserver/puppetserver-access.log <==
>> 10.2.73.60 - - [28/Sep/2018:18:34:07 +0100] "GET
>> /puppet-ca/v1/certificate/andy-puppet6-test.london.company.com HTTP/1.1"
>> 404 65 "-" "Puppet/6.0.0 Ruby/2.5.1-p57 (x86_64-linux)" 3
>> 10.2.73.60 - - [28/Sep/2018:18:34:07 +0100] "GET
>> /puppet-ca/v1/certificate_request/andy-puppet6-test.london.company.com
>> HTTP/1.1" 200 1622 "-" "Puppet/6.0.0 Ruby/2.5.1-p57 (x86_64-linux)" 3
>>
>> And here is the output from the agent :
>>
>> # puppet agent --test --noop
>> Info: Creating a new SSL key for andy-puppet6-test.london.company.com
>> Info: Downloaded certificate for ca from puppet
>> Error: Could not request certificate: The CSR retrieved from the master
>> does not match the agent's public key.
>> CSR fingerprint:
>> 9A:16:DA:95:9C:FB:90:89:78:EB:01:86:21:B0:24:E1:B0:66:80:43:ED:58:0B:A5:08:9C:24:60:C8:DE:F5:13
>> CSR public key: Public-Key: (4096 bit)
>> Modulus:
>> 00:9c:ba:32:5e:c9:e9:72:7b:36:17:9a:aa:f6:8e:
>> e2:a4:73:0a:95:4d:ae:ca:81:96:1c:02:f3:45:e5:
>> 6e:13:70:e1:dc:83:dc:88:96:4c:5e:40:d1:eb:c4:
>> 62:81:8b:9f:25:96:1a:56:1d:ba:cd:25:a8:b2:21:
>> 72:e6:ef:f3:63:b1:02:65:19:4d:e8:28:9e:bf:40:
>> 04:c7:77:21:2f:5c:d8:20:07:63:60:c9:ac:75:44:
>> 34:d0:bd:cf:8c:ae:31:37:8a:16:f3:08:92:a4:c1:
>> 66:54:53:03:be:b4:02:17:52:93:c2:eb:42:82:90:
>> 5d:db:b6:92:b1:ae:21:f0:e0:a6:9e:04:4e:0f:eb:
>> 39:2f:17:f6:89:41:3a:08:b0:13:18:ff:82:2e:20:
>> cc:83:d6:67:f6:24:97:a2:8b:72:6d:c6:9c:99:cb:
>> 70:9d:2b:7b:bd:0a:21:0d:9d:51:7c:22:f8:d0:e3:
>> cc:f7:2a:d9:e0:09:8c:1b:f5:7a:6c:69:88:5b:d2:
>> 32:c2:c5:d7:b3:1d:c0:8f:23:a9:50:ab:1e:9b:4a:
>> cf:1e:f7:b3:de:7e:b6:b7:1e:ce:63:fd:ee:10:55:
>> 48:32:8c:46:65:c2:46:43:90:49:2a:d8:b0:02:96:
>> 19:71:e8:25:18:5f:c6:8f:79:67:36:da:03:04:83:
>> e1:06:6b:29:43:51:76:52:05:c9:22:d0:39:94:0b:
>> 3b:07:62:66:79:d4:5a:36:af:c4:a3:2f:e1:f9:7b:
>> 60:1b:55:33:31:52:87:87:53:41:85:86:58:64:ef:
>> 32:77:8e:33:8c:8d:b3:f5:82:e2:16:a4:6c:65:f0:
>> f0:10:71:98:f5:da:ae:c0:df:5f:fa:8a:58:8f:7d:
>> 69:4f:ea:8f:c7:36:22:f2:9f:85:30:c5:49:c6:ab:
>> f4:63:16:bd:ba:5d:a2:c1:06:8a:f9:6a:9b:bc:6a:
>> ee:01:2b:d2:75:cd:91:ad:a7:d1:45:e8:b6:a7:45:
>> 51:0b:20:3b:05:c6:0d:06:17:2d:44:a9:33:2e:51:
>> b8:0b:ce:d4:db:f2:33:b9:42:3d:2b:22:1a:1e:f8:
>> 09:14:43:9e:f0:82:8f:c8:71:74:8d:b2:ee:37:52:
>> 0b:af:5c:4d:94:48:b2:94:81:32:03:fc:b5:6a:a6:
>> f2:c5:59:3c:09:44:f3:57:2f:3e:11:3b:6e:6f:36:
>> af:66:a6:10:e0:c7:4f:6a:74:5a:aa:48:51:62:e9:
>> cd:1d:72:43:20:7a:8b:80:c9:0f:1c:14:a8:87:15:
>> ee:93:95:55:9e:ae:48:4c:e0:4b:63:0b:88:00:fd:
>> 1f:f1:30:a7:8b:d2:42:6a:1b:89:74:eb:46:67:c8:
>> 32:d9:e1
>> Exponent: 65537 (0x10001)
>>
>> Agent public key: Public-Key: (4096 bit)
>> Modulus:
>> 00:cd:0a:ab:52:c8:34:62:3c:86:49:f5:18:7c:3c:
>> 96:90:3d:0b:53:f9:5c:48:a6:38:e4:2c:84:4a:af:
>> 5a:b7:1f:93:a7:4c:e5:dd:f3:a2:52:9d:b2:39:f4:
>> d3:2b:f0:8a:06:fd:f2:52:40:ec:9f:42:ed:b6:89:
>> 63:b0:ed:62:cf:77:91:87:27:e1:f9:0b:a5:b8:d1:
>> a6:96:96:24:db:43:9f:5b:bd:8f:d5:29:d8:2b:f1:
>> 57:2a:46:93:ce:cc:12:d4:e9:0d:24:fc:ef:42:11:
>> b8:db:a2:a3:51:23:bb:d4:97:18:a1:50:7a:7f:27:
>> 70:cb:95:24:3c:31:35:90:77:35:68:eb:4c:41:0b:
>> 1b:b3:1e:7b:2c:86:fa:72:27:3d:27:4c:71:07:13:
>> 6d:58:ed:95:04:69:15:4c:5b:f2:7e:8e:73:21:65:
>> 6e:eb:f1:64:ab:bc:67:55:1b:32:b9:1c:2c:c2:71:
>> 9f:06:fa:a2:61:b7:03:ec:69:f7:9b:64:21:d1:af:
>> 8a:ea:7b:99:48:7f:a0:27:f3:93:20:54:24:db:26:
>> b0:e7:38:24:fe:52:71:3c:79:f7:62:cf:97:e1:56:
>> 16:35:90:2d:9e:69:c0:b7:ca:31:45:64:d7:44:16:
>> 8c:1c:c2:a8:11:34:a4:ce:1e:37:61:c7:bb:94:16:
>> b1:e5:d7:74:70:67:56:e8:20:59:a5:12:39:01:95:
>> c2:ca:09:59:0d:a3:58:0a:1a:83:27:80:55:46:26:
>> 46:9b:9d:69:57:42:97:b1:7d:cb:1e:a7:65:99:47:
>> f4:e8:ae:72:0b:a4:10:32:68:46:8b:77:19:6a:7a:
>> fa:32:3c:f8:2d:ff:cf:55:c3:43:64:3f:56:eb:e2:
>> 8f:be:2d:d3:ec:55:d9:df:a4:c0:f4:ca:f7:44:38:
>> 71:3e:1f:29:c9:b1:dc:bb:04:a1:90:ab:d9:ce:2f:
>> 8b:77:87:ef:fa:47:c4:8c:ce:46:60:53:5c:d2:8f:
>> 7f:4a:ad:ec:54:10:49:18:0f:7e:10:a9:c9:a9:5e:
>> 8a:ce:2e:9d:55:19:95:fc:15:f2:35:1e:c0:81:f2:
>> 03:39:4a:11:2c:ab:ba:0e:da:d8:eb:e7:6c:dd:17:
>> 33:7b:16:c1:3b:ea:99:0f:0d:10:d2:94:0c:ee:0e:
>> cb:4f:91:2c:1a:a7:31:c5:23:f2:3d:13:45:a5:ba:
>> 66:b0:76:58:8e:4a:6d:18:66:5f:4d:d7:6d:30:5d:
>> 39:ef:5d:6f:1f:ab:61:68:3b:9a:80:3c:2b:8d:0f:
>> 84:1d:3b:4e:2c:d4:48:0f:52:c5:13:12:69:ad:0f:
>> cc:78:6b:01:8e:27:10:29:81:3d:a0:5e:ec:d9:d8:
>> 32:f0:cd
>> Exponent: 65537 (0x10001)
>>
>> To fix this, remove the CSR from both the master and the agent and then
>> start a puppet run, which will automatically regenerate a CSR.
>> On the master:
>> puppet cert clean andy-puppet6-test.london.company.com
>> On the agent:
>> 1a. On most platforms: find /etc/puppetlabs/puppet/ssl -name
>> andy-puppet6-test.london.company.com.pem -delete
>> 1b. On Windows: del
>> "\etc\puppetlabs\puppet\ssl\certs\andy-puppet6-test.london.company.com.pem"
>> /f
>> 2. puppet agent -t
>>
>> So the big question is this : what exactly is the CSR public key and what
>> exactly is the agent public key and why should they match ?
>>
>> Any help would be most greatly appreciated !
>>
>> Thanks very much.
>>
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to puppet-users...@googlegroups.com <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/7189ba10-f48c-46b6-8670-65861f4d9e3f%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/puppet-users/7189ba10-f48c-46b6-8670-65861f4d9e3f%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/9de260a1-cbea-469c-b859-ec9af2f1ada7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
