Christopher Wood
2014-Feb-26 18:18 UTC
[Puppet Users] debugging puppet/hiera-eyaml decryption problems?
I am getting this error with a manifest run in puppet: Feb 26 12:05:46 cwt1 puppet-master[30680]: Hiera eyaml backend: Unable to decrypt hiera data. Do the keys match and are they the same as those used to encrypt? Unfortunately I get that same line with no additional details with "puppet master --debug". The keys haven't been changed on disk since yesterday and I definitely used them to encrypt the value with "eyaml edit". They are pkcs7 format keys. Do any of you know how I would get more verbose debugging out of this thing? Conversely, if you've gotten this working what did you have to do? More details: As with other people, I am able to "eyaml edit" and "eyaml decode" the yaml file in question. (I need my current working directory as /etc/puppet or to use the --pkcs7-public-key and --pkcs7-private-key parameters.) This is my /etc/puppet/hiera.yaml eyaml section: -------------------------------------------------- :backends: - eyaml :eyaml: :datadir: '/etc/puppet/environments/%{environment}/hieradata' :private_key: '/etc/puppet/keys/private_key.pkcs7.pem' :public_key: '/etc/puppet/keys/public_key.pkcs7.pem' :pkcs7_private_key: '/etc/puppet/keys/private_key.pkcs7.pem' :pkcs7_public_key: '/etc/puppet/keys/public_key.pkcs7.pem' -------------------------------------------------- It looks like private_key/public_key pkcs7_private_key/pkcs7_public_key are used by puppet and command-line hiera respectively. I do get different errors when I move the files or comment out some of those lines, implying that puppet can find the actual key files and read them. The puppet user can definitely read those files: -bash-4.1$ id uid=52(puppet) gid=52(puppet) groups=52(puppet) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 -bash-4.1$ cat /etc/puppet/keys/private_key.pkcs7.pem >/dev/null -bash-4.1$ cat /etc/puppet/keys/public_key.pkcs7.pem >/dev/null -bash-4.1$ Everything is fine when I'm not using encrypted values. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20140226181839.GA25494%40iniquitous.heresiarch.ca. For more options, visit https://groups.google.com/groups/opt_out.