[Pkg-puppet-devel] Bug#1033915: puppetserver ca list fails with a 403 error

Antoine Beaupre anarcat at debian.org
Mon Apr 3 21:18:39 BST 2023 

Package: puppetserver
Version: 7.9.5-1
Severity: important

In an upgraded Puppet server 7 running in Debian testing (bookworm), I
am seeing the following error when trying to list or sign CSRs:

root at marcos:/etc# puppetserver ca list
Error:
    code: 403
    body: Forbidden request: /puppet-ca/v1/certificate_statuses/any_key (method :get). Please see the server logs for details.
Error while getting certificate requests

Said logs tell me this:

2023-04-03T15:51:33.497-04:00 ERROR [qtp1647989340-88] [p.t.a.rules]
Forbidden request: marcos.anarc.at(127.0.0.1) access to /puppet-ca/v1/certificate_statuses/any_key (method :get) (authenticated: true) denied by rule 'puppetlabs cert status'.

It looks like I need extra hostnames in /etc/puppet/puppetserver/conf.d/auth.conf

In my case, adding `localhost` wasn't sufficient, I had to add the
FQDN of the Puppet server, which is a little distressing because it
feels like the Puppet server is relying on the reverse DNS to
authenticate clients, which is obviously flawed.

The patch, in my case, ended up something like:

root at marcos:/etc# git diff
diff --git a/puppet/puppetserver/conf.d/auth.conf b/puppet/puppetserver/conf.d/auth.conf
index 5059f0a5..b7ddc868 100644
--- a/puppet/puppetserver/conf.d/auth.conf
+++ b/puppet/puppetserver/conf.d/auth.conf
@@ -63,11 +63,16 @@ authorization: {
                 type: path
                 method: [get, put, delete]
             }
-            allow: {
-               extensions: {
-                   pp_cli_auth: "true"
-               }
-            }
+            allow: [
+               "localhost",
+               "127.0.0.1",
+               "marcos.anarc.at",
+               {
+                   extensions: {
+                       pp_cli_auth: "true"
+                   }
+                }
+            ]
             sort-order: 500
             name: "puppetlabs cert status"
         },

-- System Information:
Debian Release: 12.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'stable-security'), (500, 'testing'), (500, 'stable'), (1, 'experimental'), (1, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-6-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages puppetserver depends on:
ii  default-jre-headless                         2:1.17-74
ii  facter                                       4.3.0-2
ii  hiera                                        3.10.0-1
pn  jruby                                        <none>
pn  libclj-time-clojure                          <none>
pn  libclj-yaml-clojure                          <none>
pn  libclojure-java                              <none>
pn  libcomidi-clojure                            <none>
pn  libcommons-exec-java                         <none>
ii  libcommons-io-java                           2.11.0-2
pn  libcommons-lang-java                         <none>
pn  libdropwizard-metrics-java                   <none>
pn  libdujour-version-check-clojure              <none>
pn  libjruby-utils-clojure                       <none>
pn  libkitchensink-clojure                       <none>
pn  libliberator-clojure                         <none>
pn  libprismatic-schema-clojure                  <none>
pn  libpuppetlabs-http-client-clojure            <none>
pn  libpuppetlabs-i18n-clojure                   <none>
pn  libpuppetlabs-ring-middleware-clojure        <none>
pn  libraynes-fs-clojure                         <none>
pn  libsemver-clojure                            <none>
pn  libshell-utils-clojure                       <none>
pn  libslingshot-clojure                         <none>
pn  libssl-utils-clojure                         <none>
pn  libtrapperkeeper-authorization-clojure       <none>
pn  libtrapperkeeper-clojure                     <none>
pn  libtrapperkeeper-comidi-metrics-clojure      <none>
pn  libtrapperkeeper-filesystem-watcher-clojure  <none>
pn  libtrapperkeeper-metrics-clojure             <none>
pn  libtrapperkeeper-scheduler-clojure           <none>
pn  libtrapperkeeper-status-clojure              <none>
pn  libtrapperkeeper-webserver-jetty9-clojure    <none>
pn  libyaml-snake-java                           <none>
ii  puppet-agent                                 7.23.0-1
ii  ruby                                         1:3.1
ii  ruby-deep-merge                              1.1.1-2
ii  ruby-fast-gettext                            2.0.3-2
ii  ruby-gettext                                 3.3.3-2
ii  ruby-hocon                                   1.3.1-2
ii  ruby-locale                                  2.1.3-1
pn  ruby-puppet-resource-api                     <none>
pn  ruby-puppetserver-ca-cli                     <none>
ii  ruby-semantic-puppet                         1.0.4-1
ii  ruby-text                                    1.3.1-1

Versions of packages puppetserver recommends:
pn  puppet-module-puppetlabs-augeas-core   <none>
pn  puppet-module-puppetlabs-cron-core     <none>
pn  puppet-module-puppetlabs-host-core     <none>
pn  puppet-module-puppetlabs-mount-core    <none>
pn  puppet-module-puppetlabs-selinux-core  <none>
pn  puppet-module-puppetlabs-sshkeys-core  <none>

puppetserver suggests no packages.

More information about the Pkg-puppet-devel mailing list