Issue #17497 has been updated by Dustin Mitchell. Status changed from Unreviewed to Needs Decision Assignee set to eric sorenson
My guess, without knowing the code, is that puppet is dropping root privs. When run as a normal user, it does everything as that user (working out of ~/.puppet), so you don't see the same errors. I assume, again without knowing the code, that the 'privatekeydir' of which the error message speaks is a subdirectory of `/var/lib/puppet/devices/$fqdn`, and that the missing 'r-x' bits for the puppet user prevent it from traversing into that directory, even if the permissions on the directory itself are correct. I can see a few potential solutions here: * The suggested fix, assuming that permissions further down the directory tree limit read access to the private keys * setting the devices directory's group to `puppet`, so that the puppet user has access via the group bits (already `r-x`) * re-assuming privs while writing this file ---------------------------------------- Bug #17497: puppet device cannot create certs when run as root https://projects.puppetlabs.com/issues/17497#change-94584 * Author: Garrett Honeycutt * Status: Needs Decision * Priority: Normal * Assignee: eric sorenson * Category: * Target version: * Affected Puppet version: * Keywords: cisco, device, certs * Branch: ---------------------------------------- broken -- output of `puppet device --debug` when ran as root: <pre> info: Creating a new SSL key for 10.0.1.3 err: Could not request certificate: Could not write /var/opt/lib/pe-puppet/devices/10.0.1.3/ssl/private_keys/10.0.1.3.pem to privatekeydir: Permission denied - /var/opt/lib/pe-puppet/devices/10.0.1.3/ssl/private_keys/10.0.1.3.pem </pre> success -- output of `puppet device --debug` when ran as a normal user: <pre> warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for 10.0.1.3 info: Certificate Request fingerprint (md5): 6C:1C:4C:37:A7:1D:B3:6E:F3:94:25:67:55:27:89:4C warning: peer certificate won't be verified in this SSL session debug: Using cached certificate for ca warning: peer certificate won't be verified in this SSL session info: Caching certificate for 10.0.1.3 </pre> Note, that you have to copy `/etc/puppetlabs/puppet/device.conf` to `~/.puppet/` -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
