Puppet Enterprise 3.8


Once the Puppet Enterprise (PE) console has been properly configured to point at the appropriate Certificate Authority (CA), it will display all of the nodes that have generated Certificate Signing Requests (CSRs). You can then approve or deny the requests, individually or in a batch.

For each node making a request, you can also see its name and associated CSR fingerprint.

Viewing Node Requests

You can view the number of pending node requests from anywhere in the console by checking the indicator in the top right of the main menu bar.

request indicator

Click on the pending nodes indicator to view and manage the current requests.

You will see a view containing a list of all the pending node requests. Each item on the list shows the node’s name and its corresponding CSR’s fingerprint. (Click on the truncated fingerprint to view the whole thing in a pop-up.)

If there are no pending node requests, you will see some instructions for adding new nodes. If this is not what you expect to see, the location of your Certificate Authority (CA) may not be configured correctly.

Rejecting and Approving Nodes

The ability to respond to node requests is linked to your user privileges. You must be logged in to the console as a user with read/write privileges before you can respond to requests.

Use the buttons to accept or reject nodes, singly or all at once. Note that once a node request is approved, the node will not show up in the console until the next Puppet run takes place. This could be as long as 30 minutes, depending on how you have set up your Puppet master. Depending on how many nodes you have in your site total, and on the number of pending requests, it can also take up to two seconds per request for “Reject All” or “Accept All” to finish processing.

request management view

In some cases, DNS altnames may be set up for agent nodes. In such cases, you cannot use the console to approve/reject node requests. The CSR for those nodes must be accepted or rejected using puppet cert on the CA. For more information, see the DNS altnames entry in the configuration reference.

In some cases, attempting to accept or reject a node request will result in an error. This is typically because the request has been modified somehow, usually by being accepted or rejected elsewhere (e.g. by another user or from the CLI) since the request was first generated.

Accepted/rejected nodes will remain displayed in the console for 24 hours after the action is taken. This interval cannot be modified. However, you can use the Clear accepted/rejected requests button to clean up the display at any time.

Working with Requests from the CLI

You can still view, approve, and reject node requests using the command line interface.

You can view pending node requests in the CLI by running

$ sudo puppet cert list

To sign one of the pending requests, run:

$ sudo puppet cert sign <name>

For more information on working with certificates from the CLI, see the Puppet tools guide or view the man page for puppet cert.

Back to top