Api call /puppet/ca to foreman-proxy does not work

Does anyone have any idea about what might be wrong ?

[root@foreman~]# curl -X GET -u admin:XXXXXXXXXXXXXXXX -H
"Accept:pplication/json" -k https://localhost:9090/version
{"version":"1.13.0","modules":{"pulp":"1.3.0","puppetca":"1.13.0","puppet":"1.13.0","logs":"1.13.0"}}[root@foreman
~]#

[root@foreman ~]# curl -X GET -u admin:XXXXXXXXXXXXXX -H
"Accept:pplication/json" -k https://localhost:9090/features
["logs","pulp","puppet","puppetca"][root@foreman~]#

[root@foreman ~]# curl -X GET -u admin:XXXXXXXXXXXXX -H
"Accept:pplication/json" -k https://localhost:9090/puppet/ca/
could not read client cert from environment[root@foreman ~]#

> From: "marco giovannini" <usernkey@gmail.com>
> To: "Foreman users" <foreman-users@googlegroups.com>
> Sent: Friday, November 11, 2016 11:16:06 AM
> Subject: [foreman-users] api call /puppet/ca to foreman-proxy does not work
>
>
> Does anyone have any idea about what might be wrong ?
>
> [root@foreman~]# curl -X GET -u admin:XXXXXXXXXXXXXXXX -H
> "Accept:pplication/json" -k https://localhost:9090/version
> {"version":"1.13.0","modules":{"pulp":"1.3.0","puppetca":"1.13.0","puppet":"1.13.0","logs":"1.13.0"}}[root@foreman
> ~]#
>
> [root@foreman ~]# curl -X GET -u admin:XXXXXXXXXXXXXX -H
> "Accept:pplication/json" -k https://localhost:9090/features
> ["logs","pulp","puppet","puppetca"][root@foreman~]#
>
> [root@foreman ~]# curl -X GET -u admin:XXXXXXXXXXXXX -H
> "Accept:pplication/json" -k https://localhost:9090/puppet/ca/
> could not read client cert from environment[root@foreman ~]#

The first 2 api calls don't need authentication so they work. The last needs
authentication, but we use client certificates to talk to the proxy. The proxy
has no access to the foreman database to authenticate with a Foreman user.

Foreman uses the client certificates configured in it's Settings:

ssl_ca_file | /etc/foreman/proxy_ca.pem | SSL CA file that Foreman will use to communicate with its proxies
ssl_certificate | /etc/foreman/client_cert.pem | SSL Certificate path that Foreman would use to communicate with its proxies
ssl_priv_key | /etc/foreman/client_key.pem | SSL Private Key file that Foreman will use to communicate with its proxies

But, the proxy isn't intended to be used directly by end users for the most
part, maybe what you want to do is accessible in the actual Foreman public
API (/apidoc on your foreman).

Hi

thanks for the information.

What I'm trying to do is revoke/delete a puppet certificate for a host by
API.

Seem the API call to delete the cert it is not available in the stable
Foreman yet or at least I did not find it in the doc

The host is not deployed by Foreman as the unofficial plugin for Cloudstack
is not working anymore and we will need time to fix it, it is only
connecting to puppet at the moment.

When we delete a host by API it seems it doesn't delete the puppet cert an
when we redeploy it (we are implementing an auto-scale solution so host get
deployed and deleted based on the load) their is a mismatch with the new
cert and the host doesn't not get the conf

Hi using the API we didn't find a way. We added to our delete host
playbook a task to connect to the Foreman an delete the cert by cli.

Hi there

I was indeed also wondering that its not more possible but it is. after
some ours of work I got it worked .
As @stephen mentioned users of foreman is not usable in foreman-proxy.

here is command which hase worked for me .

curl -k -X DELETE -H "Accept:pplication/json"
https://mydomain.com:8443/puppet/ca/hostname.mydomain.com --tlsv1
–cacert /etc/puppetlabs/puppetdb/ssl/ca.pem --cert
/etc/puppetlabs/puppetdb/ssl/public.pem --key
/etc/puppetlabs/puppetdb/ssl/private.pem

so looking forward to add here OAuth token to identify . If someone has
done it before please post it here.

Greetings
Karen

Hi Marco,

Did you ever find a solution for this? We are also looking to delete certs
via the API. We have it working with out SSL/TLS, but would like to have
it work with SSL/TLS.

Thanks for any info.

-Scott

Thanks for the follow up.

-S