When you use the built-in PowerShell command Invoke-RestMethod
to make a REST API call to PuppetDB, you get an Invoke-RestMethod
error that the underlying connection was closed
.
Error messages
Invoke-RestMethod -Uri "https://<PUPPET DB FQDN>:8081/pdb/query/v4/nodes" -Headers @{"X-Authentication"="<TOKEN>"}
The underlying connection was closed: An unexpected error occurred on a send.
or
Invoke-RestMethod : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
You get this error because Puppet Server uses a self-signed certificate generated by the Puppet certificate authority (CA). Invoke-RestMethod
is unable to validate against the certificate list in the Windows node’s trusted store.
Version and installation information
PE version: All supported versions
OS: Windows Server 2012 R2
Solution
There are two ways to resolve the issue so that you can successfully use Invoke-RestMethod
calls.
-
Add the Puppet server certificate to the Windows node’s trusted store. This solution is secure, but it takes a few steps to configure it.
-
Configure the Windows certificate policy to accept self-signed certificates. This is a quick solution, but it is not secure. It allows the node to accept all requests using self-signed certificates. Consult your security team before using it.
Option one: Add the Puppet server certificate to the Windows node’s trusted store
-
On the Windows node, in PowerShell, convert the Puppet server’s
.pem
format certificate to.pfx
format using the-export
option in the following PowerShell command:Note: If you enter a password in this step, you will need to enter it again in the next step.
& 'C:\Program Files\Puppet Labs\Puppet\puppet\bin\openssl.exe' pkcs12 -export -out $Env:USERPROFILE\nodename.pfx -inkey $(puppet config print hostprivkey) -in $(puppet config print hostcert) -certfile $(puppet config print localcacert)
-
Still on the Windows node in PowerShell, import the
.pfx
format certificate to the Windows node’s trusted store.& certutil.exe -importpfx $Env:USERPROFILE\nodename.pfx
When the import is successful, you will get the message:
Certificate "<NodeFQDN>" added to store. CertUtil: -importPFX command completed successfully.
You should now be able to run the
Invoke-RestMethod
call successfully. For example:Invoke-RestMethod -Uri "https://<PUPPET DB FQDN>:8081/pdb/query/v4/nodes" -Headers @{"X-Authentication"="<TOKEN>"}
Option two: Configure the certificate policy to accept self-signed certificates
Configure Windows certificate policy to accept self-signed certificates.
Note: This method allows the node to accept all requests using self-signed certificates. Consult your security team before using it.
-
On the Windows node, run the following PowerShell commands:
add-type @" using System.Net; using System.Security.Cryptography.X509Certificates; public class TrustAllCertsPolicy : ICertificatePolicy { public bool CheckValidationResult( ServicePoint srvPoint, X509Certificate certificate, WebRequest request, int certificateProblem) { return true; } } "@ [System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
You should now be able to run the
Invoke-RestMethod
call successfully. For example:Invoke-RestMethod -Uri "https://<PUPPET DB FQDN>:8081/pdb/query/v4/nodes" -Headers @{"X-Authentication"="<TOKEN>"}
How can we improve this article?
0 comments
Please sign in to leave a comment.
Related articles