Package: puppetserver
Version: 7.9.5-1
Severity: important
In an upgraded Puppet server 7 running in Debian testing (bookworm), I
am seeing the following error when trying to list or sign CSRs:
root@marcos:/etc# puppetserver ca list
Error:
code: 403
body: Forbidden request: /puppet-ca/v1/certificate_statuses/any_key (method
:get). Please see the server logs for details.
Error while getting certificate requests
Said logs tell me this:
2023-04-03T15:51:33.497-04:00 ERROR [qtp1647989340-88] [p.t.a.rules]
Forbidden request: marcos.anarc.at(127.0.0.1) access to
/puppet-ca/v1/certificate_statuses/any_key (method :get) (authenticated: true)
denied by rule 'puppetlabs cert status'.
It looks like I need extra hostnames in
/etc/puppet/puppetserver/conf.d/auth.conf
In my case, adding `localhost` wasn't sufficient, I had to add the
FQDN of the Puppet server, which is a little distressing because it
feels like the Puppet server is relying on the reverse DNS to
authenticate clients, which is obviously flawed.
The patch, in my case, ended up something like:
root@marcos:/etc# git diff
diff --git a/puppet/puppetserver/conf.d/auth.conf
b/puppet/puppetserver/conf.d/auth.conf
index 5059f0a5..b7ddc868 100644
--- a/puppet/puppetserver/conf.d/auth.conf
+++ b/puppet/puppetserver/conf.d/auth.conf
@@ -63,11 +63,16 @@ authorization: {
type: path
method: [get, put, delete]
}
- allow: {
- extensions: {
- pp_cli_auth: "true"
- }
- }
+ allow: [
+ "localhost",
+ "127.0.0.1",
+ "marcos.anarc.at",
+ {
+ extensions: {
+ pp_cli_auth: "true"
+ }
+ }
+ ]
sort-order: 500
name: "puppetlabs cert status"
},
-- System Information:
Debian Release: 12.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'stable-security'), (500,
'testing'), (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-6-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages puppetserver depends on:
ii default-jre-headless 2:1.17-74
ii facter 4.3.0-2
ii hiera 3.10.0-1
pn jruby <none>
pn libclj-time-clojure <none>
pn libclj-yaml-clojure <none>
pn libclojure-java <none>
pn libcomidi-clojure <none>
pn libcommons-exec-java <none>
ii libcommons-io-java 2.11.0-2
pn libcommons-lang-java <none>
pn libdropwizard-metrics-java <none>
pn libdujour-version-check-clojure <none>
pn libjruby-utils-clojure <none>
pn libkitchensink-clojure <none>
pn libliberator-clojure <none>
pn libprismatic-schema-clojure <none>
pn libpuppetlabs-http-client-clojure <none>
pn libpuppetlabs-i18n-clojure <none>
pn libpuppetlabs-ring-middleware-clojure <none>
pn libraynes-fs-clojure <none>
pn libsemver-clojure <none>
pn libshell-utils-clojure <none>
pn libslingshot-clojure <none>
pn libssl-utils-clojure <none>
pn libtrapperkeeper-authorization-clojure <none>
pn libtrapperkeeper-clojure <none>
pn libtrapperkeeper-comidi-metrics-clojure <none>
pn libtrapperkeeper-filesystem-watcher-clojure <none>
pn libtrapperkeeper-metrics-clojure <none>
pn libtrapperkeeper-scheduler-clojure <none>
pn libtrapperkeeper-status-clojure <none>
pn libtrapperkeeper-webserver-jetty9-clojure <none>
pn libyaml-snake-java <none>
ii puppet-agent 7.23.0-1
ii ruby 1:3.1
ii ruby-deep-merge 1.1.1-2
ii ruby-fast-gettext 2.0.3-2
ii ruby-gettext 3.3.3-2
ii ruby-hocon 1.3.1-2
ii ruby-locale 2.1.3-1
pn ruby-puppet-resource-api <none>
pn ruby-puppetserver-ca-cli <none>
ii ruby-semantic-puppet 1.0.4-1
ii ruby-text 1.3.1-1
Versions of packages puppetserver recommends:
pn puppet-module-puppetlabs-augeas-core <none>
pn puppet-module-puppetlabs-cron-core <none>
pn puppet-module-puppetlabs-host-core <none>
pn puppet-module-puppetlabs-mount-core <none>
pn puppet-module-puppetlabs-selinux-core <none>
pn puppet-module-puppetlabs-sshkeys-core <none>
puppetserver suggests no packages.
