Package: puppetserver Version: 7.9.5-1 Severity: important In an upgraded Puppet server 7 running in Debian testing (bookworm), I am seeing the following error when trying to list or sign CSRs:
root@marcos:/etc# puppetserver ca list Error: code: 403 body: Forbidden request: /puppet-ca/v1/certificate_statuses/any_key (method :get). Please see the server logs for details. Error while getting certificate requests Said logs tell me this: 2023-04-03T15:51:33.497-04:00 ERROR [qtp1647989340-88] [p.t.a.rules] Forbidden request: marcos.anarc.at(127.0.0.1) access to /puppet-ca/v1/certificate_statuses/any_key (method :get) (authenticated: true) denied by rule 'puppetlabs cert status'. It looks like I need extra hostnames in /etc/puppet/puppetserver/conf.d/auth.conf In my case, adding `localhost` wasn't sufficient, I had to add the FQDN of the Puppet server, which is a little distressing because it feels like the Puppet server is relying on the reverse DNS to authenticate clients, which is obviously flawed. The patch, in my case, ended up something like: root@marcos:/etc# git diff diff --git a/puppet/puppetserver/conf.d/auth.conf b/puppet/puppetserver/conf.d/auth.conf index 5059f0a5..b7ddc868 100644 --- a/puppet/puppetserver/conf.d/auth.conf +++ b/puppet/puppetserver/conf.d/auth.conf @@ -63,11 +63,16 @@ authorization: { type: path method: [get, put, delete] } - allow: { - extensions: { - pp_cli_auth: "true" - } - } + allow: [ + "localhost", + "127.0.0.1", + "marcos.anarc.at", + { + extensions: { + pp_cli_auth: "true" + } + } + ] sort-order: 500 name: "puppetlabs cert status" }, -- System Information: Debian Release: 12.0 APT prefers testing-security APT policy: (500, 'testing-security'), (500, 'stable-security'), (500, 'testing'), (500, 'stable'), (1, 'experimental'), (1, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-6-amd64 (SMP w/16 CPU threads; PREEMPT) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages puppetserver depends on: ii default-jre-headless 2:1.17-74 ii facter 4.3.0-2 ii hiera 3.10.0-1 pn jruby <none> pn libclj-time-clojure <none> pn libclj-yaml-clojure <none> pn libclojure-java <none> pn libcomidi-clojure <none> pn libcommons-exec-java <none> ii libcommons-io-java 2.11.0-2 pn libcommons-lang-java <none> pn libdropwizard-metrics-java <none> pn libdujour-version-check-clojure <none> pn libjruby-utils-clojure <none> pn libkitchensink-clojure <none> pn libliberator-clojure <none> pn libprismatic-schema-clojure <none> pn libpuppetlabs-http-client-clojure <none> pn libpuppetlabs-i18n-clojure <none> pn libpuppetlabs-ring-middleware-clojure <none> pn libraynes-fs-clojure <none> pn libsemver-clojure <none> pn libshell-utils-clojure <none> pn libslingshot-clojure <none> pn libssl-utils-clojure <none> pn libtrapperkeeper-authorization-clojure <none> pn libtrapperkeeper-clojure <none> pn libtrapperkeeper-comidi-metrics-clojure <none> pn libtrapperkeeper-filesystem-watcher-clojure <none> pn libtrapperkeeper-metrics-clojure <none> pn libtrapperkeeper-scheduler-clojure <none> pn libtrapperkeeper-status-clojure <none> pn libtrapperkeeper-webserver-jetty9-clojure <none> pn libyaml-snake-java <none> ii puppet-agent 7.23.0-1 ii ruby 1:3.1 ii ruby-deep-merge 1.1.1-2 ii ruby-fast-gettext 2.0.3-2 ii ruby-gettext 3.3.3-2 ii ruby-hocon 1.3.1-2 ii ruby-locale 2.1.3-1 pn ruby-puppet-resource-api <none> pn ruby-puppetserver-ca-cli <none> ii ruby-semantic-puppet 1.0.4-1 ii ruby-text 1.3.1-1 Versions of packages puppetserver recommends: pn puppet-module-puppetlabs-augeas-core <none> pn puppet-module-puppetlabs-cron-core <none> pn puppet-module-puppetlabs-host-core <none> pn puppet-module-puppetlabs-mount-core <none> pn puppet-module-puppetlabs-selinux-core <none> pn puppet-module-puppetlabs-sshkeys-core <none> puppetserver suggests no packages.