Puppet users - Nov 2013 - How do I generate a certificate to use the REST API ?

Using Puppet 3.x 

I want to tinker with the REST API, but other than basic stuff, all requests are
denied.
because there is no certificate between my workstation and the Puppet Master. 

How do I do this ? 


“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes) 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/1351348393.4599002.1384782541652.JavaMail.root%40sz0126a.westchester.pa.mail.comcast.net.
For more options, visit https://groups.google.com/groups/opt_out.

On the puppet master: 

puppet cert generate workstation.example.org 

Then I copied the following from the puppet master to my workstation: 
The public and private keys for my workstation ( workstation-publickey.pem /
workstation-privatekey.pem )
The certificate for my workstation ( workstation-cert.pem ) 
The public key for the puppet master ( puppetmaster-publickey.pem ) 

On my workstation, 

curl --insecure -H ''Accept: s''
https://puppetmaster.example.org:8140/production/certificate/ca >
curl-ca-bundle.crt
cat puppetmaster-publickey.pem >> curl-ca-bundle.crt 

THEN !! 

curl --cert workstation-cert.pem \ 
--key workstation-cert.pem \ 
--cacert curl-ca-bundle.crt \ 
-H "Accept: yaml"
https://puppetmaster.example.org:8140/dev/status/devnode001.example.org

WORKED !! 

I am going to bundle up everything up to the "-H" into an alias. 


“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes) 

----- Original Message -----
From: "Dan White" <ygor@comcast.net> 
To: "Puppet Users Mailing List" <puppet-users@googlegroups.com> 
Sent: Monday, November 18, 2013 8:49:01 AM 
Subject: [Puppet Users] How do I generate a certificate to use the REST API ? 



Using Puppet 3.x 

I want to tinker with the REST API, but other than basic stuff, all requests are
denied.
because there is no certificate between my workstation and the Puppet Master. 

How do I do this ? 


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/82113611.4600328.1384785445522.JavaMail.root%40sz0126a.westchester.pa.mail.comcast.net.
For more options, visit https://groups.google.com/groups/opt_out.

I forgot the finishing touch: 

On the puppet master: /etc/puppet/auth,conf 

Added the lines: 
# allow workstation REST API access 
path / 
allow workstation.example.org 

and restarted the puppet master ! 

As I get familiar with the API, I would probably want to add some method
restrictions.


“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes) 

----- Original Message -----
From: "Dan White" <ygor@comcast.net> 
To: puppet-users@googlegroups.com 
Sent: Monday, November 18, 2013 9:37:25 AM 
Subject: Re: [Puppet Users] (ANSWERED IT MYSELF!) How do I generate a
certificate to use the REST API ?


On the puppet master: 

puppet cert generate workstation.example.org 

Then I copied the following from the puppet master to my workstation: 
The public and private keys for my workstation ( workstation-publickey.pem /
workstation-privatekey.pem )
The certificate for my workstation ( workstation-cert.pem ) 
The public key for the puppet master ( puppetmaster-publickey.pem ) 

On my workstation, 

curl --insecure -H ''Accept: s''
https://puppetmaster.example.org:8140/production/certificate/ca >
curl-ca-bundle.crt
cat puppetmaster-publickey.pem >> curl-ca-bundle.crt 

THEN !! 

curl --cert workstation-cert.pem \ 
--key workstation-cert.pem \ 
--cacert curl-ca-bundle.crt \ 
-H "Accept: yaml"
https://puppetmaster.example.org:8140/dev/status/devnode001.example.org

WORKED !! 

I am going to bundle up everything up to the "-H" into an alias. 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/774872178.4600520.1384785845284.JavaMail.root%40sz0126a.westchester.pa.mail.comcast.net.
For more options, visit https://groups.google.com/groups/opt_out.

Hi,

that would work.

Couldn''t you instead have just (from the agent)

1. puppet agent --one-time --certname <certname-here>

to upload a CSR, then on the master

2. sign the cert using puppet ca

and then have the agent download it via another puppet agent call?

Of course, you still need to scrounge the chain together from the
various certs cached by the agent, but it should all be there.

Cheers,
Felix

On 11/18/2013 03:37 PM, Dan White wrote:
> Then I copied the following from the puppet master to my workstation:
> The public and private keys for my workstation (
> workstation-publickey.pem / workstation-privatekey.pem )
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/528A2912.9060103%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/groups/opt_out.

There is no agent on my workstation. 
That was one of the head-scratchers 

Your suggestion looks like it would work if there was an agent. 

Thanks for responding 


“Sometimes I think the surest sign that intelligent life exists elsewhere in the
universe is that none of it has tried to contact us.”
Bill Waterson (Calvin & Hobbes) 

----- Original Message -----
From: "Felix Frank" <felix.frank@alumni.tu-berlin.de> 
To: puppet-users@googlegroups.com 
Sent: Monday, November 18, 2013 9:49:54 AM 
Subject: Re: [Puppet Users] (ANSWERED IT MYSELF!) How do I generate a
certificate to use the REST API ?

Hi, 

that would work. 

Couldn''t you instead have just (from the agent) 

1. puppet agent --one-time --certname <certname-here> 

to upload a CSR, then on the master 

2. sign the cert using puppet ca 

and then have the agent download it via another puppet agent call? 

Of course, you still need to scrounge the chain together from the 
various certs cached by the agent, but it should all be there. 

Cheers, 
Felix 

On 11/18/2013 03:37 PM, Dan White wrote: 
> Then I copied the following from the puppet master to my workstation: 
> The public and private keys for my workstation ( 
> workstation-publickey.pem / workstation-privatekey.pem ) 
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/528A2912.9060103%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/groups/opt_out. 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/52236470.4601043.1384787026352.JavaMail.root%40sz0126a.westchester.pa.mail.comcast.net.
For more options, visit https://groups.google.com/groups/opt_out.