Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3550

Issue with manually issuing manually submitting certificate request over API

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Cannot Reproduce
    • Affects Version/s: PUP 3.7.2
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Template:

      Description

      This is a cross-post from ServerFault. I reached out to James Turnbull, who I believe was involved in the development of this. He thought it was a bug, so, I'm posting it here.

      The tl;dr is that I need to manually generate a certificate on one node, and then issue a certificate request over the API.

      According to the documentation, this should be rather straight forward. Here's what I did.

      Generate a certificate for myhost.foobar.local (from client)

      $ puppet cert generate myhost.foobar.local

      Generate a CSR from the certificate (from client)

      $ openssl req -new -key /var/lib/puppet/ssl/private_keys/myhost.foobar.local.pem -subj "/CN=myhost.foobar.local" -out request.csr

      Issue a certificate request to the Puppet master (from client)

      The API has been opened up for remote API calls, so we can make API call from the test node. However, I only get an error back.

      $ curl -k -X PUT -H "Content-Type: text/plain" --data-binary @request.csr https://puppetmaster:8140/production/certificate_request/no_key
          Could not intern from s: not enough data

      Other calls works just fine, such as:

      $ curl -k -H "Accept: pson" https://puppetmaster:8140/production/certificate_statuses/all
          [
            {
              "state" : "signed",
              "fingerprints" : {
                "default" : "5A:35:D2:19:59:C6:6E:B8:BE:64:54:FA:14:10:CE:FC:4A:C8:45:F6:DE:8E:7C:E9:2D:B0:5B:E0:5D:93:35:DD",
                "SHA256" : "5A:35:D2:19:59:C6:6E:B8:BE:64:54:FA:14:10:CE:FC:4A:C8:45:F6:DE:8E:7C:E9:2D:B0:5B:E0:5D:93:35:DD",
                "SHA1" : "04:13:AF:B9:CB:44:01:64:24:C9:E0:D6:F4:0D:60:41:52:77:EE:45",
                "SHA512" : "2C:97:11:B9:ED:38:00:1F:B0:7B:75:ED:4C:DB:B1:3E:3D:63:09:C1:38:E2:A3:4F:50:A4:FD:71:FF:55:94:C3:7A:0B:F6:D5:79:09:6D:53:39:B1:EC:C2:BF:DF:CD:9B:67:60:B9:9C:0C:82:51:E9:23:30:AA:33:AC:8B:E9:94"
              },
              "name" : "puppet.foobar.local",
              "dns_alt_names" : [
                "DNS:puppet",
                "DNS:puppet.foobar.local"
              ],
              "fingerprint" : "5A:35:D2:19:59:C6:6E:B8:BE:64:54:FA:14:10:CE:FC:4A:C8:45:F6:DE:8E:7C:E9:2D:B0:5B:E0:5D:93:35:DD"
            },
            {
              "state" : "signed",
              "fingerprints" : {
                "default" : "32:7B:B3:4E:BE:EB:66:21:E5:96:D0:7B:BA:BF:1D:FC:D5:90:E1:6F:52:6B:AB:CF:98:7E:2A:E3:48:00:A2:CF",
                "SHA256" : "32:7B:B3:4E:BE:EB:66:21:E5:96:D0:7B:BA:BF:1D:FC:D5:90:E1:6F:52:6B:AB:CF:98:7E:2A:E3:48:00:A2:CF",
                "SHA1" : "A4:17:D3:05:8A:72:BE:6C:C2:0C:FA:C4:8A:3B:6E:C4:29:90:4B:95",
                "SHA512" : "2D:C3:EE:7E:E3:39:99:C8:21:B8:97:E8:BF:FE:62:26:A8:B8:63:30:C9:F1:77:80:DB:FC:DF:B8:ED:1E:A2:6C:C2:F9:FE:5D:CA:17:D9:08:1E:EB:AA:AF:3D:99:A6:F9:3D:E6:86:A0:B3:3F:E9:EC:1C:7F:25:95:B5:D6:7C:51"
              },
              "name" : "965c252e48c3",
              "dns_alt_names" : [
          
              ],
              "fingerprint" : "32:7B:B3:4E:BE:EB:66:21:E5:96:D0:7B:BA:BF:1D:FC:D5:90:E1:6F:52:6B:AB:CF:98:7E:2A:E3:48:00:A2:CF"
            }
          ]
      

      (formatted for readability)

      I'm not sure if I'm missing something here. All other API calls appears to work fine, including signing, and DELETE/revoke of nodes. It's just the certificate request call that appears to fail. Perhaps I'm missing something obvious.

      The Puppet master is running '3.7.2-1puppetlabs'.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            vpetersson Viktor Petersson
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support