Skip to main content

REST API call to PuppetDB with PowerShell "Invoke-RestMethod" command returns a "The underlying connection was closed" error in Puppet Enterprise

Selvakumar Subburaj
  • Updated

When you use the built-in PowerShell command Invoke-RestMethod to make a REST API call to PuppetDB, you get an Invoke-RestMethod error that the underlying connection was closed.

Error messages

Invoke-RestMethod -Uri "https://<PUPPET DB FQDN>:8081/pdb/query/v4/nodes" -Headers @{"X-Authentication"="<TOKEN>"}

The underlying connection was closed: An unexpected error occurred on a send.

or

Invoke-RestMethod : The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

You get this error because Puppet Server uses a self-signed certificate generated by the Puppet certificate authority (CA). Invoke-RestMethod is unable to validate against the certificate list in the Windows node’s trusted store.

Version and installation information

PE version: All supported versions
OS: Windows Server 2012 R2

Solution

There are two ways to resolve the issue so that you can successfully use Invoke-RestMethod calls.

  • Add the Puppet server certificate to the Windows node’s trusted store. This solution is secure, but it takes a few steps to configure it.

  • Configure the Windows certificate policy to accept self-signed certificates. This is a quick solution, but it is not secure. It allows the node to accept all requests using self-signed certificates. Consult your security team before using it.

Option one: Add the Puppet server certificate to the Windows node’s trusted store

  1. On the Windows node, in PowerShell, convert the Puppet server’s .pem format certificate to .pfx format using the -export option in the following PowerShell command:

    Note: If you enter a password in this step, you will need to enter it again in the next step.

    & 'C:\Program Files\Puppet Labs\Puppet\puppet\bin\openssl.exe' pkcs12 -export -out $Env:USERPROFILE\nodename.pfx -inkey $(puppet config print hostprivkey) -in $(puppet config print hostcert) -certfile $(puppet config print localcacert)

  2. Still on the Windows node in PowerShell, import the .pfx format certificate to the Windows node’s trusted store.

    & certutil.exe -importpfx $Env:USERPROFILE\nodename.pfx

    When the import is successful, you will get the message:

    Certificate "<NodeFQDN>" added to store. CertUtil: -importPFX command completed successfully.

    You should now be able to run the Invoke-RestMethod call successfully. For example:

    Invoke-RestMethod -Uri "https://<PUPPET DB FQDN>:8081/pdb/query/v4/nodes" -Headers @{"X-Authentication"="<TOKEN>"}

Option two: Configure the certificate policy to accept self-signed certificates

Configure Windows certificate policy to accept self-signed certificates.

Note: This method allows the node to accept all requests using self-signed certificates. Consult your security team before using it.

  1. On the Windows node, run the following PowerShell commands:

    add-type @"
    using System.Net;
    using System.Security.Cryptography.X509Certificates;
    public class TrustAllCertsPolicy : ICertificatePolicy {
        public bool CheckValidationResult(
            ServicePoint srvPoint, X509Certificate certificate,
            WebRequest request, int certificateProblem) {
            return true;
        }
    }
"@

[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy

    You should now be able to run the Invoke-RestMethod call successfully. For example:

    Invoke-RestMethod -Uri "https://<PUPPET DB FQDN>:8081/pdb/query/v4/nodes" -Headers @{"X-Authentication"="<TOKEN>"}

Did this solve your problem?
3 out of 5 found this helpful

How can we improve this article?

0 comments

Please sign in to leave a comment.

Related articles