Issue #17497 has been updated by Gary Richards.
Ok, I dug a little deeper and I 'fixed' the problem (ie. got it to work,
whether the solution is correct or not I know not):
# ls -al /var/lib/puppet/
total 44
drwxr-xr-x 11 puppet puppet 4096 Jun 27 10:43 .
drwxr-xr-x 30 root root 4096 Jun 27 10:40 ..
drwxr-x--- 14 root root 4096 Jun 27 10:41 clientbucket
drwxr-x--- 3 root root 4096 Jun 27 10:38 client_data
drwxr-x--- 2 root root 4096 Jun 27 10:32 client_yaml
drwxr-x--- 18 root root 4096 Jun 27 10:41 concat
drwxr-x--- 8 root root 4096 Jun 27 10:48 devices
drwxr-xr-x 4 root root 4096 Jun 27 10:37 lib
drwxr-x--- 2 puppet puppet 4096 Jun 27 10:41 rrd
drwxrwx--x 7 puppet root 4096 Jun 27 10:36 ssl
drwxr-xr-t 3 puppet puppet 4096 Jun 27 10:42 state
The devices directory is root:root, with mode 0750. I changed this to 0755 and
now puppet, running as root, can write device certificates again.
I hacked the mode change into defaults.rb. I built a new box and tested just
this change to be sure it was the only thing i'd modified that 'fixed' the
problem.
----------------------------------------
Bug #17497: puppet device cannot create certs when run as root
https://projects.puppetlabs.com/issues/17497#change-93733
* Author: Garrett Honeycutt
* Status: Unreviewed
* Priority: Normal
* Assignee:
* Category:
* Target version:
* Affected Puppet version:
* Keywords: cisco, device, certs
* Branch:
----------------------------------------
broken -- output of `puppet device --debug` when ran as root:
<pre>
info: Creating a new SSL key for 10.0.1.3
err: Could not request certificate: Could not write
/var/opt/lib/pe-puppet/devices/10.0.1.3/ssl/private_keys/10.0.1.3.pem to
privatekeydir: Permission denied -
/var/opt/lib/pe-puppet/devices/10.0.1.3/ssl/private_keys/10.0.1.3.pem
</pre>
success -- output of `puppet device --debug` when ran as a normal user:
<pre>
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for 10.0.1.3
info: Certificate Request fingerprint (md5):
6C:1C:4C:37:A7:1D:B3:6E:F3:94:25:67:55:27:89:4C
warning: peer certificate won't be verified in this SSL session
debug: Using cached certificate for ca
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for 10.0.1.3
</pre>
Note, that you have to copy `/etc/puppetlabs/puppet/device.conf` to `~/.puppet/`
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.
