Issue #7144 has been updated by Nigel Kersten.
Yes. Target version isn't multi-valued, but it does need to be targeted at 2.6.x due to a paying customer request. ---------------------------------------- Bug #7144: puppetd cannot create new private key if hostprivatekey/privatekeydir have permissions configured in /etc/puppet/puppet.conf https://projects.puppetlabs.com/issues/7144 Author: Matt Wise Status: Merged - Pending Release Priority: Normal Assignee: Category: SSL Target version: 2.6.x Affected Puppet version: 2.6.5 Keywords: Branch: https://github.com/MaxMartin/puppet/tree/ticket/2.6.x/7144-private-keys Our servers set their puppet private keys with some unique permissions because we use the keys for several purposes. This works fine once the keys are created, but if we have to wipe the key dir and re-start on a node Puppet complains unless we remove the lines from the puppet.conf. For example, here are the lines in the puppet.conf that cause the problem: + # explicitly set the permissions of this tree to readable by anyone in the puppet group + privatekeydir = /var/lib/puppet/ssl/private_keys { owner = service, group = service, mode = 750 } + + # The default value is '$privatekeydir/$certname.pem'. + hostprivkey = $privatekeydir/$certname.pem { owner = service, group = service, mode = 640 } With those lines in place, and the SSL directory wiped clean (ie, fresh install): Executing [/usr/bin/puppet agent --server puppet.mydomain.com -t --detailed-exitcodes] info: Creating a new SSL key for test.dc1.prod.mydomain.com err: Could not request certificate: Could not write /var/lib/puppet/ssl/private_keys/test.dc1.prod.mydomain.com.pem to privatekeydir: can't convert String into Integer Exiting; failed to retrieve certificate and waitforcert is disabled Returned value: 1 This happens every single time. If we remove those lines from the config, the puppet key generation works properly and the puppet run succeeds (which then adds those lines back in to the config, which ultimately sets the proper permissions on those files). OS: CentOS 5.5 Puppet Version: 2.6.5 -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
