Authenticating to puppetdb dashboard SSL using certificate auth

puppetdb dashboard has some performance monitoring built in. To access it via localhost is easy. No auth. To access it remotely via SSL, you have to generate a client cert for your browser, configure jetty to accept the puppet master CA cert, and add your client cert to a list of allowed certs. Here’s all the steps I needed to make this work on CentOS 6.4 (server) and Mac OSX 10.7 with Firefox 23.0.1.

[root@puppetmaster ssl]# puppet cert generate esakowski
Notice: esakowski has a waiting certificate request
Notice: Signed certificate request for esakowski
Notice: Removing file Puppet::SSL::CertificateRequest esakowski at '/etc/puppetlabs/puppet/ssl/ca/requests/esakowski.pem'
Notice: Removing file Puppet::SSL::CertificateRequest esakowski at '/etc/puppetlabs/puppet/ssl/certificate_requests/esakowski.pem'
Notice: You have 3 active and no inactive nodes.
Notice: You are currently licensed for 10 active nodes.
Notice: This Puppet Enterprise distribution is licensed to:
Notice:         N/A
You are using a complimentary ten node license provided free by Puppet Labs.
Notice: Your complimentary license does not include Support & Maintenance. If you
Notice: would like to obtain official Support & Maintenance, please contact us
Notice: for pricing, and to find out about volume discounts.
[root@puppetmaster ssl]# find . -name 'esakowski\.*'
[root@puppetmaster ssl]#

Next you have to smash all these keys into a pkcs12 format (enter nothing for the password):

[root@puppetmaster ssl]# cd /tmp
[root@puppetmaster tmp]# openssl pkcs12 -export -out esakowski.pfx -inkey /etc/puppetlabs/puppet/ssl/private_keys/esakowski.pem  -in /etc/puppetlabs/puppet/ssl/ca/signed/esakowski.pem -certfile /etc/puppetlabs/puppet/ssl/certs/ca.pem 
Enter Export Password:
Verifying - Enter Export Password:
[root@puppetmaster tmp]#
[root@puppetmaster tmp]# file esakowski.pfx
esakowski.pfx: data
[root@puppetmaster tmp]#

Download this .pfx file somewhere on your workstation filesystem so you can add it to FF.

To add it to your firefox keys, go to Preferences -> Advanced -> View Certificates -> Import
and select the appropriate file. Here again, you enter nothing for the password.

You have to tell jetty to trust the puppetmaster ca cert. Edit /etc/puppetlabs/puppetdb/conf.d/jetty.ini to add:
ssl-ca-cert =/etc/puppetlabs/puppet/ssl/ca/ca_crt.pem

If you try to hit https://puppetmaster:8081 right now, it should let you connect, but it will tell you “You shall not pass!” — this is because your cert is trusted but it’s not yet in the whitelist of certs that are allowed to see statistics from the puppetdb dashboard. Edit the whitelist to add the name of your cert (whatever name you passed to puppet cert generate):

[root@puppetmaster conf.d]# cat /etc/puppetlabs/puppetdb/certificate-whitelist
[root@puppetmaster conf.d]#

Restart pe-puppetdb:

[root@puppetmaster conf.d]# service pe-puppetdb restart
Stopping pe-puppetdb:                                      [  OK  ]
Starting pe-puppetdb:                                      [  OK  ]
[root@puppetmaster conf.d]#

Now go to You should see something like the screengrab below. If not, check the contents of /var/log/pe-puppetdb/*.log

Good luck!

Screen Shot 2013-10-04 at 4.52.13 PM

One thought on “Authenticating to puppetdb dashboard SSL using certificate auth

  1. ski Post author

    If you get the following error when trying to use multi-master, single puppetdb server, the instructions above for certificate-whitelist also apply:

    Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit ‘replace facts’ command for to PuppetDB at [403 Forbidden] You shall not pass!
    Warning: Not using cache on failed catalog
    Error: Could not retrieve catalog; skipping run

    …my colleague just ran across this page while googling the answer to his problem above and reports that whitelist fixed the problem for Puppet Enterprise 3.2.3.


Leave a Reply

Your email address will not be published. Required fields are marked *