debugging puppet/hiera-eyaml decryption problems?
793 views
Skip to first unread message
Christopher Wood
Feb 26, 2014, 1:18:39 PM2/26/14
to puppet...@googlegroups.com
I am getting this error with a manifest run in puppet:
Feb 26 12:05:46 cwt1 puppet-master[30680]: Hiera eyaml backend: Unable to decrypt hiera data. Do the keys match and are they the same as those used to encrypt?
Unfortunately I get that same line with no additional details with "puppet master --debug". The keys haven't been changed on disk since yesterday and I definitely used them to encrypt the value with "eyaml edit". They are pkcs7 format keys.
Do any of you know how I would get more verbose debugging out of this thing? Conversely, if you've gotten this working what did you have to do?
More details:
As with other people, I am able to "eyaml edit" and "eyaml decode" the yaml file in question. (I need my current working directory as /etc/puppet or to use the --pkcs7-public-key and --pkcs7-private-key parameters.)
This is my /etc/puppet/hiera.yaml eyaml section:
--------------------------------------------------
:backends:
- eyaml
:eyaml:
:datadir: '/etc/puppet/environments/%{environment}/hieradata'
:private_key: '/etc/puppet/keys/private_key.pkcs7.pem'
:public_key: '/etc/puppet/keys/public_key.pkcs7.pem'
:pkcs7_private_key: '/etc/puppet/keys/private_key.pkcs7.pem'
:pkcs7_public_key: '/etc/puppet/keys/public_key.pkcs7.pem'
--------------------------------------------------
It looks like private_key/public_key pkcs7_private_key/pkcs7_public_key are used by puppet and command-line hiera respectively. I do get different errors when I move the files or comment out some of those lines, implying that puppet can find the actual key files and read them.
The puppet user can definitely read those files:
-bash-4.1$ id
uid=52(puppet) gid=52(puppet) groups=52(puppet) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.1$ cat /etc/puppet/keys/private_key.pkcs7.pem >/dev/null
-bash-4.1$ cat /etc/puppet/keys/public_key.pkcs7.pem >/dev/null
-bash-4.1$
Everything is fine when I'm not using encrypted values.
Feb 26 12:05:46 cwt1 puppet-master[30680]: Hiera eyaml backend: Unable to decrypt hiera data. Do the keys match and are they the same as those used to encrypt?
Unfortunately I get that same line with no additional details with "puppet master --debug". The keys haven't been changed on disk since yesterday and I definitely used them to encrypt the value with "eyaml edit". They are pkcs7 format keys.
Do any of you know how I would get more verbose debugging out of this thing? Conversely, if you've gotten this working what did you have to do?
More details:
As with other people, I am able to "eyaml edit" and "eyaml decode" the yaml file in question. (I need my current working directory as /etc/puppet or to use the --pkcs7-public-key and --pkcs7-private-key parameters.)
This is my /etc/puppet/hiera.yaml eyaml section:
--------------------------------------------------
:backends:
- eyaml
:eyaml:
:datadir: '/etc/puppet/environments/%{environment}/hieradata'
:private_key: '/etc/puppet/keys/private_key.pkcs7.pem'
:public_key: '/etc/puppet/keys/public_key.pkcs7.pem'
:pkcs7_private_key: '/etc/puppet/keys/private_key.pkcs7.pem'
:pkcs7_public_key: '/etc/puppet/keys/public_key.pkcs7.pem'
--------------------------------------------------
It looks like private_key/public_key pkcs7_private_key/pkcs7_public_key are used by puppet and command-line hiera respectively. I do get different errors when I move the files or comment out some of those lines, implying that puppet can find the actual key files and read them.
The puppet user can definitely read those files:
-bash-4.1$ id
uid=52(puppet) gid=52(puppet) groups=52(puppet) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
-bash-4.1$ cat /etc/puppet/keys/private_key.pkcs7.pem >/dev/null
-bash-4.1$ cat /etc/puppet/keys/public_key.pkcs7.pem >/dev/null
-bash-4.1$
Everything is fine when I'm not using encrypted values.
William Leese
Feb 26, 2014, 9:51:11 PM2/26/14
to puppet...@googlegroups.com, christop...@pobox.com
What does the actual yaml containing the encrypted value look like? I've had some trouble simply copy & pasting eyaml output into yaml files. I found using something like this works best:
mysql::server::root_password: ENC[PKCS7,MxxxxxxxxxxxxxxxxxxxxxxxxxxZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQAwDQYJKoZIhvcNAQEBBQAEgsnipsnipsnipsnipsnipsnipIZIAWUDBAEqBBALP97TUumMst8nV3mXwI7TgCBn9mVz/uaSgcJHo9xUuXmK1ynG80J0tqDyblahalbhalabhaOQHQ==]
(just incase wordwrap kicks in, that's all on one line).
Are your yaml files named *.eyaml?
Christopher Wood
Feb 27, 2014, 9:44:02 AM2/27/14
to puppet...@googlegroups.com
Here's a sample value. Apart from the length it looks much like yours. (But your encrypted value appears on a separate line, but possibly word wrap.)
testing::cwood::param: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQAwDQYJKoZIhvcNAQEBBQAEggEARs4upyGGGEl1Q3HJdh1Rov+IkQO07isMqKWBQiEpC0bT0mreeYAvWtkFZLfYJXQDxeE/kKA5yNa+IiqocOE2fKJG0qFy7l1ShnQt7Z0iS2JUML9bjSayWFMkxiJWtCF4MbM258R/uJe4Km4QtC+iQEh3HMMCO6QSKOrBPvCkTQzr0070XavFrv7H4QgilB0eqG4/FVH+UGGuzYiJ5Rf7u2l1pURbmWrMdMUNS8VoBsRQGspyhE7i2YK2cCsdsFzbKbemLvVv1Df6Lw8LUIhLyRxNyNswhR3s8pxOTP/0CfQiA6pH8A97YfkTxwVUv1XHOIXysTz4LRCXepBWnVttSTBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC7hz22XWHaPfVcljFewx4bgCC6jSuzWINAecGO7dw2tGZrBBEGjxhRA922MR9XbarprQ==]
In the editor (eyaml edit) that looks like:
testing::cwood::param: DEC(1)::PKCS7[value from hiera, encrypted]!
(The keys are throwaway, proof of concept keys, available if anybody thinks they'll help.)
My eyaml files are all suffixed ".eyaml". I tried ":extension: 'yaml'" but oddly that didn't work for me, the puppet debug log showed the hiera routine looking for .eyaml files.
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> [1]https://groups.google.com/d/msgid/puppet-users/a8e752a7-b378-413e-b207-6c9b47aa6012%40googlegroups.com.
> For more options, visit [2]https://groups.google.com/groups/opt_out.
>
> References
>
> Visible links
> 1. https://groups.google.com/d/msgid/puppet-users/a8e752a7-b378-413e-b207-6c9b47aa6012%40googlegroups.com
> 2. https://groups.google.com/groups/opt_out
testing::cwood::param: ENC[PKCS7,MIIBiQYJKoZIhvcNAQcDoIIBejCCAXYCAQAxggEhMIIBHQIBADAFMAACAQAwDQYJKoZIhvcNAQEBBQAEggEARs4upyGGGEl1Q3HJdh1Rov+IkQO07isMqKWBQiEpC0bT0mreeYAvWtkFZLfYJXQDxeE/kKA5yNa+IiqocOE2fKJG0qFy7l1ShnQt7Z0iS2JUML9bjSayWFMkxiJWtCF4MbM258R/uJe4Km4QtC+iQEh3HMMCO6QSKOrBPvCkTQzr0070XavFrv7H4QgilB0eqG4/FVH+UGGuzYiJ5Rf7u2l1pURbmWrMdMUNS8VoBsRQGspyhE7i2YK2cCsdsFzbKbemLvVv1Df6Lw8LUIhLyRxNyNswhR3s8pxOTP/0CfQiA6pH8A97YfkTxwVUv1XHOIXysTz4LRCXepBWnVttSTBMBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC7hz22XWHaPfVcljFewx4bgCC6jSuzWINAecGO7dw2tGZrBBEGjxhRA922MR9XbarprQ==]
In the editor (eyaml edit) that looks like:
testing::cwood::param: DEC(1)::PKCS7[value from hiera, encrypted]!
(The keys are throwaway, proof of concept keys, available if anybody thinks they'll help.)
My eyaml files are all suffixed ".eyaml". I tried ":extension: 'yaml'" but oddly that didn't work for me, the puppet debug log showed the hiera routine looking for .eyaml files.
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit
> [1]https://groups.google.com/d/msgid/puppet-users/a8e752a7-b378-413e-b207-6c9b47aa6012%40googlegroups.com.
> For more options, visit [2]https://groups.google.com/groups/opt_out.
>
> References
>
> Visible links
> 1. https://groups.google.com/d/msgid/puppet-users/a8e752a7-b378-413e-b207-6c9b47aa6012%40googlegroups.com
> 2. https://groups.google.com/groups/opt_out
Christopher Wood
Feb 27, 2014, 12:50:41 PM2/27/14
to puppet...@googlegroups.com
Following up to my own post...
Without changing my manifest data, I managed to get this to work by changing my rpm packages around, from this, which didn't work:
hiera-eyaml 2.0
trollop 2.0
highline 1.6.19
To this, which did:
hiera-eyaml 1.3.4
trollop 1.16
highline 1.6.20
This didn't work either:
hiera-eyaml 2.0
trollop 2.0
highline 1.6.20
I don't have the ruby or packaging expertise to see why this worked, but now things function similarly with /usr/bin/hiera and inside the puppet master.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20140227144402.GA1051%40iniquitous.heresiarch.ca.
> For more options, visit https://groups.google.com/groups/opt_out.
Without changing my manifest data, I managed to get this to work by changing my rpm packages around, from this, which didn't work:
hiera-eyaml 2.0
trollop 2.0
highline 1.6.19
To this, which did:
hiera-eyaml 1.3.4
trollop 1.16
highline 1.6.20
This didn't work either:
hiera-eyaml 2.0
trollop 2.0
highline 1.6.20
I don't have the ruby or packaging expertise to see why this worked, but now things function similarly with /usr/bin/hiera and inside the puppet master.
> For more options, visit https://groups.google.com/groups/opt_out.
Reply all
Reply to author
Forward
0 new messages