subject:"\[Puppet Users\] Re\: API call to certificate

Re: [Puppet Users] Re: API call to certificate_request deletes the request

2015-07-06 Thread Mikhail Simin

Found the explanation in the actual code
,
rather than the docs. It's an interesting security implementation. I'll
have to figure out how to work with it.

Thank you!
Mikhail

On Mon, Jul 6, 2015 at 10:30 AM, Mikhail Simin  wrote:

> Thanks Josh, you hit the nail on the head.
>
> Disabling autosign makes my API calls work as expected. But why does
> autosign delete the CSR? The docs don't say anything about this. Can I
> disable that feature somehow?
> I need autosigning to be enabled for other purposes, and also be able to
> invoke API calls as I do right now.
>
> On Sun, Jun 28, 2015 at 11:16 PM, Josh Cooper  wrote:
>
>>
>> On Sunday, June 28, 2015 at 10:49:21 AM UTC-7, Mikhail Simin wrote:
>>>
>>> I'm using Puppet 3.7.3 and I observe this strange behavior when using
>>> the API to sign a certificate:
>>>
>>>
>>> ==> /var/log/apache.log <==
 Jun 28 17:18:07.00 prod-puppetca apache: 127.0.0.1
 prod-puppetca:8140 - - [28/Jun/2015:17:18:03 +] "PUT
 /production/certificate_request/prod-clientbox HTTP/1.1" 200 1582 "-"
 "python-requests/2.7.0 CPython/2.7.6 Linux/3.13.0-46-generic"

 ==> /var/log/daemon.log <==
 Jun 28 17:18:03.00 prod-puppetca puppet-master[27451]:
 prod-clientbox has a waiting certificate request
 Jun 28 17:18:07.00 prod-puppetca puppet-master[27451]: Signed
 certificate request for prod-clientbox
 Jun 28 17:18:07.00 prod-puppetca puppet-master[27451]: Removing
 file Puppet::SSL::CertificateRequest prod-clientbox at
 '/var/lib/puppet/ssl/ca/requests/prod-clientbox.pem'
>>>
>>>
>>> For some reason a single PUT call to `certificate_request/` signs the
>>> CSR and then also removes it!
>>>
>>>
>>> Under normal circumstances (when the CSR does not get removed) I have a
>>> follow up API call for `certificate_status/` with
>>> {"desired_state":"signed"} passed in. However when the CSR is removed, this
>>> no longer works because puppet refuses with the following message:
>>>
>>>
>>> Cannot sign for host prod-clientbox without a certificate request
>>>
>>>
>>> Why does the CSR get removed with the same API call that uploads it?
>>>
>>
>> It sounds like you have autosign[1] enabled. Check
>> /etc/puppet/puppet.conf or in the script that starts your CA.
>>
>> Josh
>>
>> [1]
>> https://docs.puppetlabs.com/references/latest/configuration.html#autosign
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Puppet Users" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/puppet-users/LCAuO4Wo_d8/unsubscribe.
>> To unsubscribe from this group and all its topics, send an email to
>> puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/puppet-users/5acc5158-2740-4167-9404-4651ed728bc7%40googlegroups.com
>> 
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
>
> --
> Mikhail Simin, Ph.D
> *Nextdoor* 
> The Private Social Network for Neighborhoods
>



-- 
Mikhail Simin, Ph.D
*Nextdoor* 
The Private Social Network for Neighborhoods

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAL%2B12Gdu_OyxGVq70CqZxtxRiezHLiTji-i1FODc9d9GT0aA5Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: API call to certificate_request deletes the request

2015-07-06 Thread Mikhail Simin

Thanks Josh, you hit the nail on the head.

Disabling autosign makes my API calls work as expected. But why does
autosign delete the CSR? The docs don't say anything about this. Can I
disable that feature somehow?
I need autosigning to be enabled for other purposes, and also be able to
invoke API calls as I do right now.

On Sun, Jun 28, 2015 at 11:16 PM, Josh Cooper  wrote:

>
> On Sunday, June 28, 2015 at 10:49:21 AM UTC-7, Mikhail Simin wrote:
>>
>> I'm using Puppet 3.7.3 and I observe this strange behavior when using the
>> API to sign a certificate:
>>
>>
>> ==> /var/log/apache.log <==
>>> Jun 28 17:18:07.00 prod-puppetca apache: 127.0.0.1
>>> prod-puppetca:8140 - - [28/Jun/2015:17:18:03 +] "PUT
>>> /production/certificate_request/prod-clientbox HTTP/1.1" 200 1582 "-"
>>> "python-requests/2.7.0 CPython/2.7.6 Linux/3.13.0-46-generic"
>>>
>>> ==> /var/log/daemon.log <==
>>> Jun 28 17:18:03.00 prod-puppetca puppet-master[27451]:
>>> prod-clientbox has a waiting certificate request
>>> Jun 28 17:18:07.00 prod-puppetca puppet-master[27451]: Signed
>>> certificate request for prod-clientbox
>>> Jun 28 17:18:07.00 prod-puppetca puppet-master[27451]: Removing file
>>> Puppet::SSL::CertificateRequest prod-clientbox at
>>> '/var/lib/puppet/ssl/ca/requests/prod-clientbox.pem'
>>
>>
>> For some reason a single PUT call to `certificate_request/` signs the CSR
>> and then also removes it!
>>
>>
>> Under normal circumstances (when the CSR does not get removed) I have a
>> follow up API call for `certificate_status/` with
>> {"desired_state":"signed"} passed in. However when the CSR is removed, this
>> no longer works because puppet refuses with the following message:
>>
>>
>> Cannot sign for host prod-clientbox without a certificate request
>>
>>
>> Why does the CSR get removed with the same API call that uploads it?
>>
>
> It sounds like you have autosign[1] enabled. Check /etc/puppet/puppet.conf
> or in the script that starts your CA.
>
> Josh
>
> [1]
> https://docs.puppetlabs.com/references/latest/configuration.html#autosign
>
> --
> You received this message because you are subscribed to a topic in the
> Google Groups "Puppet Users" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/puppet-users/LCAuO4Wo_d8/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/5acc5158-2740-4167-9404-4651ed728bc7%40googlegroups.com
> 
> .
>
> For more options, visit https://groups.google.com/d/optout.
>



-- 
Mikhail Simin, Ph.D
*Nextdoor* 
The Private Social Network for Neighborhoods

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/CAL%2B12GcGepk-3qMWO1nL%2B3Fi3nO6u-bd4sFbc650O%3DjMCjqfyQ%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] Re: API call to certificate_request deletes the request

2015-06-28 Thread Josh Cooper


On Sunday, June 28, 2015 at 10:49:21 AM UTC-7, Mikhail Simin wrote:
>
> I'm using Puppet 3.7.3 and I observe this strange behavior when using the 
> API to sign a certificate:
>
>
> ==> /var/log/apache.log <==
>> Jun 28 17:18:07.00 prod-puppetca apache: 127.0.0.1 prod-puppetca:8140 
>> - - [28/Jun/2015:17:18:03 +] "PUT 
>> /production/certificate_request/prod-clientbox HTTP/1.1" 200 1582 "-" 
>> "python-requests/2.7.0 CPython/2.7.6 Linux/3.13.0-46-generic"
>>
>> ==> /var/log/daemon.log <==
>> Jun 28 17:18:03.00 prod-puppetca puppet-master[27451]: prod-clientbox 
>> has a waiting certificate request
>> Jun 28 17:18:07.00 prod-puppetca puppet-master[27451]: Signed 
>> certificate request for prod-clientbox
>> Jun 28 17:18:07.00 prod-puppetca puppet-master[27451]: Removing file 
>> Puppet::SSL::CertificateRequest prod-clientbox at 
>> '/var/lib/puppet/ssl/ca/requests/prod-clientbox.pem'
>
>  
> For some reason a single PUT call to `certificate_request/` signs the CSR 
> and then also removes it!
>
>
> Under normal circumstances (when the CSR does not get removed) I have a 
> follow up API call for `certificate_status/` with 
> {"desired_state":"signed"} passed in. However when the CSR is removed, this 
> no longer works because puppet refuses with the following message: 
>
>
> Cannot sign for host prod-clientbox without a certificate request
>
>
> Why does the CSR get removed with the same API call that uploads it?
>

It sounds like you have autosign[1] enabled. Check /etc/puppet/puppet.conf 
or in the script that starts your CA.

Josh

[1] https://docs.puppetlabs.com/references/latest/configuration.html#autosign

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5acc5158-2740-4167-9404-4651ed728bc7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] Re: API call to certificate_request deletes the request

Re: [Puppet Users] Re: API call to certificate_request deletes the request

[Puppet Users] Re: API call to certificate_request deletes the request

3 matches

Site Navigation

Mail list logo

Footer information