jonuwz · August 22, 2014 09:42
diff --git a/proxying puppetmaster api b/proxying puppetmaster api
 This is so we can do puppet cert clean remotely.

 on the puppet box :

 puppet cert generate pe-api
 cat /etc/puppetlabs/puppet/ssl/certs/pe-api.pem /etc/puppetlabs/puppet/ssl/private_keys/pe-api.pem > cat /etc/puppetlabs/puppet/ssl/certs/pe-api.pem /etc/puppetlabs/puppet/ssl/private/pe-api.pem

 cat <<'EOF' > /etc/puppetlabs/httpd/console_apps.d/api.conf
 SSLProxyEngine on
 SSLProxyCACertificateFile /etc/puppetlabs/puppet/ssl/certs/ca.pem
 SSLProxyMachineCertificateFile /etc/puppetlabs/puppet/ssl/certs/pe-api.pem /etc/puppetlabs/puppet/ssl/private/pe-api.pem

 ProxyPassMatch ^/api/(.*)$ https://localhost:8140/$1
 EOF

 Now add pe-api to the allow list in auth.conf for the endpoints you want to hit.  i.e.

 path  /certificate_status
 method find, search, save, destroy
 auth yes
 allow pe-internal-dashboard, pe-api


 /etc/init.d/pe-httpd restart

 now you can hit :

 curl -k  -H "Accept: pson" https://puppet.domain/api/production/certificate_status/<certname>
	This is so we can do puppet cert clean remotely.

	on the puppet box :

	puppet cert generate pe-api
	cat /etc/puppetlabs/puppet/ssl/certs/pe-api.pem /etc/puppetlabs/puppet/ssl/private_keys/pe-api.pem > cat /etc/puppetlabs/puppet/ssl/certs/pe-api.pem /etc/puppetlabs/puppet/ssl/private/pe-api.pem

	cat <<'EOF' > /etc/puppetlabs/httpd/console_apps.d/api.conf
	SSLProxyEngine on
	SSLProxyCACertificateFile /etc/puppetlabs/puppet/ssl/certs/ca.pem
	SSLProxyMachineCertificateFile /etc/puppetlabs/puppet/ssl/certs/pe-api.pem /etc/puppetlabs/puppet/ssl/private/pe-api.pem

	ProxyPassMatch ^/api/(.*)$ https://localhost:8140/$1
	EOF

	Now add pe-api to the allow list in auth.conf for the endpoints you want to hit. i.e.

	path /certificate_status
	method find, search, save, destroy
	auth yes
	allow pe-internal-dashboard, pe-api


	/etc/init.d/pe-httpd restart

	now you can hit :

	curl -k -H "Accept: pson" https://puppet.domain/api/production/certificate_status/<certname>