Status API authentication
Token-based authentication is not required to access the status API. You can choose to authenticate requests with certificates or you can use HTTP to access the API without authentication.
Certificate authentication
You can authenticate requests with a certificate listed in RBAC's certificate
allowlist, located at
/etc/puppetlabs/console-services/rbac-certificate-allowlist.
The certificate allowlist is a simple, flat file consisting of certnames that match
the host, for example:node1.example
node2.example
node3.exampleIf you edit the certificate allowlist, you must reload the
pe-console-services service (run sudo service
pe-console-services reload) for your changes to take effect.
To use the certificate in a curl request, you must include the allowed certificate
name (which must match a name in the
rbac-certificate-allowlist
file) and the private key. This example shows how to use puppet commands to include an allowed certificate in a curl request:
cert="$(puppet config print hostcert)"
cacert="$(puppet config print localcacert)"
key="$(puppet config print hostprivkey)"
uri="https://$(puppet config print server):4433/status/v1/services"
curl --cert "$cert" --cacert "$cacert" --key "$key" "$uri"puppet commands to populate
curl arguments, go to Using example commands.
Tip: You do not need to use an agent certificate for authentication. You
can use
puppet cert generate to create a new certificate to use
specifically with the API.HTTP authentication
Status API endpoints can be served over HTTP, which does not require any
authentication, but this is disabled by default. To enable HTTP:
- In the PE console, go to the PE Console node group.
- On the
puppet_enterprise::profile::consoleclass, setconsole_services_plaintext_status_enabledtotrue.
The default HTTP status endpoint port is 8123. To change the port:
- In the PE console, go to the PE Console node group.
- On the
puppet_enterprise::profile::consoleclass, set theconsole_services_plaintext_status_portparameter to the relevant port number.