I'm CCing the pe-users list as this is a Puppet Enterprise specific question.
The passwords in puppet.conf and database.yml are not encrypted, those are the passwords (they are also stored in the answers file in the installer directory and in /etc/puppetlabs/installer/database_info.install). To store the db password encrypted, you could use hiera-gpg [1][2], or a custom function of your own design. HTH [1] - http://www.craigdunn.org/2011/10/secret-variables-in-puppet-with-hiera-and-gpg/ [2] - https://rubygems.org/gems/hiera-gpg On Tue, Jan 29, 2013 at 1:49 PM, Brendan Murtagh <brendan.r.murt...@gmail.com> wrote: > Hello, > > I ran into an issue today as I began to transition into a production > environment from my Puppet testbed. I am using Puppet Enterprise 2.7 for > Ubuntu (x64) and ran through the Installer and configured the Console, Cloud > Provisioner, and Master on the same box. This all went well. I then began > setting up agent1 for testing and after installing PE, updating the > environment in the agent's puppet.conf, signing the agent's cert, I tried to > do a puppet agent -td. This failed with the error: > > err: Could not retrieve catalog from remote server: Error 400 on SERVER: > Access denied for user 'console'@'localhost' (using password: YES) > > During the Installer I was never prompted to enter the password for the > Console user so initially I was stuck. > > I visited IRC and Ancillas and I went back and forth trying to figure out > the cause. We viewed the passwords in /etc/puppetlabs/puppet/puppet.conf and > /etc/puppetlabs/puppet-dashboard/database.yml but both are encrypted. I was > going to attempt a reinstall of the Master, but then I found > http://docs.puppetlabs.com/pe/2.0/maint_reconfiguring.html#changing-the-consoles-database-userpassword > I followed the steps and everything worked like a charm. > > My main questions piggy-back one another... > > 1. What type of encryption/hash is used to initially write the password to > those files? Can it be decrypted? > > 2. I'd prefer to store the db password in an encrypted fashion, is there a > way to do this from within Puppet? I assume I could use a MySQL > Administration and view the MySQL Users and copy that, but that seems > excessive. > > Thanks, > > Brendan > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- Matthaus Owens Release Manager, Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
