[Puppet Users] debugging puppet/hiera-eyaml decryption problems?

Wed, 26 Feb 2014 10:19:22 -0800 

I am getting this error with a manifest run in puppet:

Feb 26 12:05:46 cwt1 puppet-master[30680]: Hiera eyaml backend: Unable to 
decrypt hiera data. Do the keys match and are they the same as those used to 
encrypt?

Unfortunately I get that same line with no additional details with "puppet 
master --debug". The keys haven't been changed on disk since yesterday and I 
definitely used them to encrypt the value with "eyaml edit". They are pkcs7 
format keys.

Do any of you know how I would get more verbose debugging out of this thing? 
Conversely, if you've gotten this working what did you have to do?



More details:

As with other people, I am able to "eyaml edit" and "eyaml decode" the yaml 
file in question. (I need my current working directory as /etc/puppet or to use 
the --pkcs7-public-key and --pkcs7-private-key parameters.)

This is my /etc/puppet/hiera.yaml eyaml section:

--------------------------------------------------
:backends:
  - eyaml

:eyaml:
  :datadir: '/etc/puppet/environments/%{environment}/hieradata'
  :private_key: '/etc/puppet/keys/private_key.pkcs7.pem'
  :public_key: '/etc/puppet/keys/public_key.pkcs7.pem'
  :pkcs7_private_key: '/etc/puppet/keys/private_key.pkcs7.pem'
  :pkcs7_public_key: '/etc/puppet/keys/public_key.pkcs7.pem'
--------------------------------------------------

It looks like private_key/public_key pkcs7_private_key/pkcs7_public_key are 
used by puppet and command-line hiera respectively. I do get different errors 
when I move the files or comment out some of those lines, implying that puppet 
can find the actual key files and read them.

The puppet user can definitely read those files:

-bash-4.1$ id
uid=52(puppet) gid=52(puppet) groups=52(puppet) 
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.1$ cat /etc/puppet/keys/private_key.pkcs7.pem >/dev/null
-bash-4.1$ cat /etc/puppet/keys/public_key.pkcs7.pem >/dev/null
-bash-4.1$ 

Everything is fine when I'm not using encrypted values.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20140226181839.GA25494%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to