Issue #17497 has been updated by Gary Larizza.
I hit this today as well running Puppet Enterprise, here's what I did to get around the error (Note the Puppet Enterprise specific paths) * After the failure, the folder /var/opt/lib/pe-puppet/devices is going to be owned by root:root. Set permissions recursively on that directory to be pe-puppet:pe-puppet with:`sudo chown -R pe-puppet:pe-puppet /var/opt/lib/pe-puppet/devices` * Next, run puppet device as the pe-puppet user: `sudo /opt/puppet/bin/puppet device -v --user pe-puppet --onetime` * Sign the cert on the puppet master with `sudo /opt/puppet/bin/puppet cert sign <certname>` * Now you can continue to run puppet device as a root user with: `sudo /opt/puppet/bin/puppet device -v --onetime` ---------------------------------------- Bug #17497: puppet device cannot create certs when run as root https://projects.puppetlabs.com/issues/17497#change-99297 * Author: Garrett Honeycutt * Status: Needs Decision * Priority: Normal * Assignee: eric sorenson * Category: * Target version: * Affected Puppet version: * Keywords: cisco, device, certs * Branch: ---------------------------------------- broken -- output of `puppet device --debug` when ran as root: <pre> info: Creating a new SSL key for 10.0.1.3 err: Could not request certificate: Could not write /var/opt/lib/pe-puppet/devices/10.0.1.3/ssl/private_keys/10.0.1.3.pem to privatekeydir: Permission denied - /var/opt/lib/pe-puppet/devices/10.0.1.3/ssl/private_keys/10.0.1.3.pem </pre> success -- output of `puppet device --debug` when ran as a normal user: <pre> warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for 10.0.1.3 info: Certificate Request fingerprint (md5): 6C:1C:4C:37:A7:1D:B3:6E:F3:94:25:67:55:27:89:4C warning: peer certificate won't be verified in this SSL session debug: Using cached certificate for ca warning: peer certificate won't be verified in this SSL session info: Caching certificate for 10.0.1.3 </pre> Note, that you have to copy `/etc/puppetlabs/puppet/device.conf` to `~/.puppet/` -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
