There are two identities in Puppet that relate to the security model. The first identity is the certname and the second is the node name.
Puppet uses the certname to construct the certificate. Everything else (catalogs, facts, reports, etc...) is identified by the node name. By default the value of node name is the value of the certname. For security, requests are only authorized if the name of the node matches the cert name. What you're seeing is puppet denying access because your node name no longer matches the cert name. I recommend you don't make your node names match your cert names because an email address is not a valid node name. To get this to work you'll need to hack at auth.conf to map which cert names are authorized to request resources for certain nodes. Hope this helps. You might want to take a look at #2128 and the node_name_value setting. There's also a whole section on auth.conf at docs.puppetlabs.com. -- Jeff McCune On Thursday, May 31, 2012 at 5:27 AM, Andrew Wasilczuk wrote: > Hello, > > I'm currently integrating puppet with an external openssl based PKI and > I stumbled across a problem which looks like it may be a bug in puppet. > > All my certificates contain an emailAddress field in the subject. Here > it is in the default format: > > > % openssl x509 -in mir.example.net.pem -noout -text -subject > > subject= /C=UK/ST=Greater > London/O=example/CN=mir.example.net/emailAddress=syst...@example.net > > > When I run puppet with stock auth.conf I get the following error message: > > > err: Could not retrieve catalog from remote server: Error 403 on SERVER: > Forbidden request: mir.example.net/emailAddress=syst...@example.net(46.4.3.59) > access to /catalog/mir.example.net [find] authenticated at line 52 > > If I modify my auth.conf to: > > > path ~ ^/catalog/([^/]+)$ > method find > #allow $1 > allow /$1\/email/ > > > It works fine: > > > info: Caching catalog for mir.example.net > info: Applying configuration version '1338465941' > notice: Finished catalog run in 0.08 seconds > > > It looks like puppet is interpreting emailAddress as a part of the CN > (which it isn't). Outputting the subject in rfc2253 format makes it a > bit clearer: > > > % openssl x509 -in mir.example.net.pem -noout -text -subject -nameopt RFC2253 > > subject= > emailAddress=syst...@example.net,CN=mir.example.net,O=example,ST=Greater > London,C=UK > > > Has anyone else come across this? Shall I open a bug or am I doing > something stupid here? > > As far as I'm aware OpenSSL will put email address in the subject line > by default, unless explicitly disabled. > > I'm running puppet-2.7.14 on FreeBSD 9.0 behind Apache and Passenger > > Cheers, > > Andrew. > -- > [ a...@zx23.net ] > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
