Ask Your Question

Puppet tries to create /etc/puppet/ssl when it is configured to use /var/lib/puppet/ssl

asked 2018-07-20 05:06:35 -0600

willsewell gravatar image

I am using puppet 3.8.7 in the rack/appache/passenger setup. I have created /var/lib/puppet/ssl with appropriate keys/certificates in it. I have configured puppet to use this:

$ sudo puppet config print --section master ssldir
$ sudo puppet config print --section agent ssldir

However, when I run the puppet agent with

$ sudo /usr/bin/puppet agent --test --environment /path/to/env

It fails with a bunch of HTML error pages returned from the puppet master. I won't post them here because I get the same errors in a much clearer format in the apache error logs:

[ 2018-07-20 09:28:10.8956 23617/7feaf0cea700 agents/HelperAgent/RequestHandler.h:2088 ]: [Client 20] Cannot checkout session.
Error page:
exit (SystemExit)
  /usr/lib/ruby/vendor_ruby/puppet/util.rb:511:in `exit'
  /usr/lib/ruby/vendor_ruby/puppet/util.rb:511:in `rescue in exit_on_fail'
  /usr/lib/ruby/vendor_ruby/puppet/util.rb:496:in `exit_on_fail'
  /usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `run'
  /usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:146:in `run'
  /usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:92:in `execute' `block in <main>'
  /usr/lib/ruby/vendor_ruby/rack/builder.rb:55:in `instance_eval'
  /usr/lib/ruby/vendor_ruby/rack/builder.rb:55:in `initialize' `new' `<main>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `eval'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:112:in `preload_app'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:158:in `<module:App>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:29:in `<module:PhusionPassenger>'
  /usr/share/passenger/helper-scripts/rack-preloader.rb:28:in `<main>'

It's very cryptic, so if I turn on the debug logging in /usr/lib/ruby/vendor_ruby/puppet/util.rb, I get the much more helpful output:

App 24518 stdout: #<RuntimeError: Got 1 failure(s) while initializing: File[/etc/puppet/ssl]: change from absent to directory failed: Could not set 'directory' on ensure: Permission denied @ dir_s_mkdir - /etc/puppet/ssl>
App 24518 stdout: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:998:in `block in use'
App 24518 stdout: /usr/lib/ruby/vendor_ruby/puppet/resource/catalog.rb:177:in `apply'
App 24518 stdout: /usr/lib/ruby/vendor_ruby/puppet/settings.rb:988:in `use'
App 24518 stdout: /usr/lib/ruby/vendor_ruby/puppet/application/master.rb:267:in `setup'
App 24518 stdout: /usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `block (2 levels) in run'
App 24518 stdout: /usr/lib/ruby/vendor_ruby/puppet/application.rb:507:in `plugin_hook'
App 24518 stdout: /usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `block in run'
App 24518 stdout: /usr/lib/ruby/vendor_ruby/puppet/util.rb:496:in `exit_on_fail'
App 24518 stdout: /usr/lib/ruby/vendor_ruby/puppet/application.rb:378:in `run'
App 24518 stdout: /usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:146:in `run'
App 24518 stdout: /usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:92:in `execute'
App 24518 stdout: /usr/share/puppet/rack/puppetmasterd ...
edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2018-07-25 08:06:07 -0600

willsewell gravatar image

updated 2018-07-25 08:06:59 -0600

We fixed this by adding

ARGV << "--ssldir"  << "/var/lib/puppet/ssl"


The reason for this confuses me because we already have

ssldir = /var/lib/puppet/ssl

set in the [main] section of puppet.conf.

edit flag offensive delete link more


This means that the way you have it configured is not reading your `puppet.conf` path properly. Double check the paths and that your httpd user can read the file.

binford2k gravatar imagebinford2k ( 2018-07-25 13:14:01 -0600 )edit

From what I can tell, the file is being read correctly since if I run `sudo puppet config print environment`, then it prints the environment I have configured in `/etc/puppet/puppet.conf`. Both `/etc/puppet` and `/etc/puppet/puppet.conf` are world-readable.

willsewell gravatar imagewillsewell ( 2018-07-26 04:08:07 -0600 )edit

answered 2018-07-24 12:44:37 -0600

binford2k gravatar image

Just a friendly PSA that Puppet 3.x reached its end of life 570 days ago on December 31, 2016. I suggest upgrading to an LTS release for access to bug fixes and security updates.

In any case, you likely don't have the proper configuration settings in your See for an example of that.

edit flag offensive delete link more


We are trying to upgrade to Puppet 4 :) The reason I am trying (and failing) to set up Puppet 3 is so that we can test the upgrade process. Our `` file is identical to the one you linked to. Is this a problem? Should I be setting `--ssldir` there?

willsewell gravatar imagewillsewell ( 2018-07-25 06:26:53 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2018-07-20 05:06:35 -0600

Seen: 125 times

Last updated: Jul 25