I am getting this error with a manifest run in puppet:
Feb 26 12:05:46 cwt1 puppet-master[30680]: Hiera eyaml backend: Unable to
decrypt hiera data. Do the keys match and are they the same as those used to
encrypt?
Unfortunately I get that same line with no additional details with "puppet
master --debug". The keys haven't been changed on disk since yesterday and I
definitely used them to encrypt the value with "eyaml edit". They are pkcs7
format keys.
Do any of you know how I would get more verbose debugging out of this thing?
Conversely, if you've gotten this working what did you have to do?
More details:
As with other people, I am able to "eyaml edit" and "eyaml decode" the yaml
file in question. (I need my current working directory as /etc/puppet or to use
the --pkcs7-public-key and --pkcs7-private-key parameters.)
This is my /etc/puppet/hiera.yaml eyaml section:
--------------------------------------------------
:backends:
- eyaml
:eyaml:
:datadir: '/etc/puppet/environments/%{environment}/hieradata'
:private_key: '/etc/puppet/keys/private_key.pkcs7.pem'
:public_key: '/etc/puppet/keys/public_key.pkcs7.pem'
:pkcs7_private_key: '/etc/puppet/keys/private_key.pkcs7.pem'
:pkcs7_public_key: '/etc/puppet/keys/public_key.pkcs7.pem'
--------------------------------------------------
It looks like private_key/public_key pkcs7_private_key/pkcs7_public_key are
used by puppet and command-line hiera respectively. I do get different errors
when I move the files or comment out some of those lines, implying that puppet
can find the actual key files and read them.
The puppet user can definitely read those files:
-bash-4.1$ id
uid=52(puppet) gid=52(puppet) groups=52(puppet)
context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.1$ cat /etc/puppet/keys/private_key.pkcs7.pem >/dev/null
-bash-4.1$ cat /etc/puppet/keys/public_key.pkcs7.pem >/dev/null
-bash-4.1$
Everything is fine when I'm not using encrypted values.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/20140226181839.GA25494%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/groups/opt_out.
