Working with Node Requests

A newer version is available; see the version menu above for details.

Overview

Once the Puppet Enterprise (PE) console has been properly configured to point at the appropriate Certificate Authority (CA), it will display all of the nodes that have generated Certificate Signing Requests (CSRs). You can then approve or deny the requests, individually or in a batch.

For each node making a request, you can also see its name and associated CSR fingerprint.

Viewing Node Requests

You can view the number of pending node requests in the PE console by going to Nodes > Inventory > Unsigned certificates.

cert signing

You will see a view containing a list of all the pending node requests. Each item on the list shows the node’s name and its corresponding CSR’s fingerprint. (On smaller screens, if the display of the full fingerprint is truncated you can hover over it to see the entire fingerprint.)

If there are no pending node requests, you will see some instructions for adding new nodes. If this is not what you expect to see, the location of your Certificate Authority (CA) may not be configured correctly.

Rejecting and Approving Nodes

The ability to respond to node requests is linked to your user privileges. You need to have the Console: View permission and the Certificate requests: Accept and reject permission.

Use the buttons to accept or reject a single node, or all nodes. Note that once a node request is approved, the node will not show up in the console until the next Puppet run takes place. This could be as long as 30 minutes, depending on how you have set up your Puppet master. Depending on how many nodes you have in your site total, and on the number of pending requests, it can also take up to two seconds per request for Reject All or Accept All to finish processing.

Note: When using Accept All or Reject All, nodes are processed in batches. If you close the browser window or navigate to another website while processing is in progress, only the current batch will be processed.

In some cases, DNS altnames may be set up for agent nodes. In such cases, you cannot use the console to approve/reject node requests. The CSR for those nodes must be accepted or rejected using puppet cert on the CA. For more information, see the DNS altnames entry in the configuration reference.

In some cases, attempting to accept or reject a node request will result in an error. This is typically because the request has been modified somehow, usually by being accepted or rejected elsewhere (e.g. by another user or from the CLI) since the request was first generated.

Working with Requests from the CLI

You can still view, approve, and reject node requests using the command line interface.

You can view pending node requests in the CLI by running

$ sudo puppet cert list

To sign one of the pending requests, run:

$ sudo puppet cert sign <name>

For more information on working with certificates from the CLI, see the Puppet tools guide or view the man page for puppet cert.


↑ Back to top