On Sunday, June 28, 2015 at 10:49:21 AM UTC-7, Mikhail Simin wrote:
>
> I'm using Puppet 3.7.3 and I observe this strange behavior when using the
> API to sign a certificate:
>
>
> ==> /var/log/apache.log <==
>> Jun 28 17:18:07.000000 prod-puppetca apache: 127.0.0.1 prod-puppetca:8140
>> - - [28/Jun/2015:17:18:03 +0000] "PUT
>> /production/certificate_request/prod-clientbox HTTP/1.1" 200 1582 "-"
>> "python-requests/2.7.0 CPython/2.7.6 Linux/3.13.0-46-generic"
>>
>> ==> /var/log/daemon.log <==
>> Jun 28 17:18:03.000000 prod-puppetca puppet-master[27451]: prod-clientbox
>> has a waiting certificate request
>> Jun 28 17:18:07.000000 prod-puppetca puppet-master[27451]: Signed
>> certificate request for prod-clientbox
>> Jun 28 17:18:07.000000 prod-puppetca puppet-master[27451]: Removing file
>> Puppet::SSL::CertificateRequest prod-clientbox at
>> '/var/lib/puppet/ssl/ca/requests/prod-clientbox.pem'
>
>
> For some reason a single PUT call to `certificate_request/` signs the CSR
> and then also removes it!
>
>
> Under normal circumstances (when the CSR does not get removed) I have a
> follow up API call for `certificate_status/` with
> {"desired_state":"signed"} passed in. However when the CSR is removed, this
> no longer works because puppet refuses with the following message:
>
>
> Cannot sign for host prod-clientbox without a certificate request
>
>
> Why does the CSR get removed with the same API call that uploads it?
>
It sounds like you have autosign[1] enabled. Check /etc/puppet/puppet.conf
or in the script that starts your CA.
Josh
[1] https://docs.puppetlabs.com/references/latest/configuration.html#autosign
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/5acc5158-2740-4167-9404-4651ed728bc7%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
