Ask Your Question

hiera eyaml does not work after upgrading to PE 3.7.2

asked 2014-11-26 09:32:27 -0600

Yeayu gravatar image

Hello all,

I recently upgraded from PE 3.3 to PE 3.7.2, in order to take advantage of the new windows improvements... Everything seems to be ok, except eyaml, which it does not work at all. In fact, i have tried to configure hiera eyaml from scratch on a new puppet master server with the same result...

I would like to point out that hiera without encryption works as expected.

The error I am receiving is the following:

Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Could not find data item test:password in any Hiera data file and not default supplied at /etc/puppetlabs/puppet/environments/test/modules/accounts/manifests/init.pp:2 on node

This is my hiera.yaml:

  - eyaml
  - yaml
  - "node/%{::clientcert}"
  - "%{environment}"
  - common
  :datadir: /etc/puppetlabs/puppet/hieradata
  :datadir: /etc/puppetlabs/puppet/hieradata
  :pkcs7_private_key: '/etc/puppetlabs/puppet/keys/private_key.pkcs7.pem'
  :pkcs7_public_key: '/etc/puppetlabs/puppet/keys/public_key.pkcs7.pem'
:logger: console

The content of my .eyaml file is:

test::password: >

and my manifest is (init.pp):

 class accounts{
            $credentials = hiera('test::password')

what might be the reason of this failure?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2015-01-05 11:31:44 -0600

Kevin Corcoran gravatar image

Pindish is correct - /opt/puppet/bin/puppetserver gem install hiera-eyaml is required. If it fails with the error above, that is probably caused by this bug:

As mentioned in that ticket, running ln -s /etc/ssl/certs/java/cacerts /opt/puppet/lib/jvm/pe-java/jre/lib/security/cacerts and then re-running the command to install the gem should suffice as a workaround.

edit flag offensive delete link more


Yes. Though I can't access the ticket, I verified that creating the sym link does solve the problem I had. Our eyaml backend is happy again. Thank you very much Kevin!

Pindish gravatar imagePindish ( 2015-01-06 01:10:08 -0600 )edit

Ouch! Sorry about that - we have both internal and public JIRA tickets and I accidentally linked you to an internal one. In any case, this matter boils down to a tiny bug in PE 3.7.1 and 3.7.0. It will be fixed in the upcoming 3.7.2. Glad the fix worked for you.

Kevin Corcoran gravatar imageKevin Corcoran ( 2015-01-07 13:32:16 -0600 )edit

answered 2015-01-03 13:39:32 -0600

Pindish gravatar image

Hi Yeayu,

We are having the same problem. Wonder if you have a solution yet.

We have no problem using eYAML with open source Puppet 3.7.2 and PE 3.3.2. We are trying to upgrade our PE 3.3.2 setup to the latest PE 3.7.2 and run into the same problem. We use /opt/puppet/bin/gem to install hiera-eyaml. This works fine with command line encryption and decryption. But puppet run cannot find the encrypted data.

Someone mentions that using /opt/puppet/bin/puppetserver to install hiera-eyaml is required for PE 3.7. That doesn't work for us.

# puppetserver gem list

*** LOCAL GEMS ***

ffi (1.9.3 java)
highline (1.6.21)
jar-dependencies (0.0.9)
jruby-openssl (0.9.5 java)
json (1.8.0 java)
krypt (0.0.2)
krypt-core (0.0.2 universal-java)
krypt-provider-jdk (0.0.2)
rake (10.1.0)
rdoc (4.0.1)

# puppetserver gem install hiera-eyaml
ERROR:  Could not find a valid gem 'hiera-eyaml' (>= 0), here is why:
          Unable to download data from - certificate verify failed (
ERROR:  Possible alternatives: hiera-eyaml

Anyone has a solution yet?


edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-11-26 09:32:27 -0600

Seen: 1,100 times

Last updated: Jan 05 '15