This document can help you quickly identify and fix most common errors.
What kind of error are you seeing?
Unknown function 'conjur::secret'(LoadError) no such file to load -- conjur/puppet_module/configConjur configuration not found on systemError while evaluating a Method call ... expects a Sensitive value, got DeferredFailed to open TCP connection to ... (getaddrinfo: No such host is known.)Conjur server error: UnauthorizedCould not find any pre-populated Conjur credentials in WinCred storageConjur server error: Not FoundConjur server error: SSL_connect returned=1 errno=0 state=error: certificate verify failedCert file '/path/to/cert.pem' cannot be found!Value of 'authn_api_key' must be wrapped in 'Sensitive()'!
- You see an error in your Puppet logs that looks something like:
Error: Failed to apply catalog: Unknown function 'conjur::secret'
This is usually due to the cyberark/conjur module not being installed on the
Puppet server providing the catalog to the agent.
Install the cyberark/conjur module using our instructions
on Puppet master(s) as well as all compilation masters that will be used by the agent.
- You see an error in your Puppet logs that looks something like:
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Internal Server Error: org.jruby.exceptions.LoadError: (LoadError) no such file to load -- conjur/puppet_module/config
This is usually due to the conjur::secret function not being correctly wrapped
in a Deferred function or the parameters to the Deferred wrapper not being
correctly passed in as an array.
Follow our instructions on usage exactly
and make note of our required use of
Deferred functions.
In general, our secret retrieval should be invoked in this exact manner:
Deferred(conjur::secret, ['var/name'])- You see an error in your Puppet logs that looks something like:
Error: Failed to apply catalog: Conjur configuration not found on system
This is usually due to the identity not specified neither in the catalog nor the agent itself.
Ensure that either the server or the agent contain valid identity information.
- You see an error in your Puppet logs that looks something like:
Server Error: Evaluation Error: Error while evaluating a Method call, 'unwrap' parameter 'arg' expects a Sensitive value, got Deferred (file: inlined-epp-text, line: 1, column: 26) on node conjurnode.cyberark.com
This problem is usually due to use of a Deferred function result in a non-deferred
(e.g. templated) context.
When using results from this module, you must take care that any operations
that are handled at manifest compilation time (e.g. templating) is also done
via Deferred functions. See our exmaple usage for
information on how to do this correctly.
- You see an error in your Puppet logs that looks something like:
Error: Failed to apply catalog: Failed to open TCP connection to badserver.com (getaddrinfo: No such host is known.)
This problem occurs when the appliance_url for Conjur is either
incorrect or unreachable from the agent.
Verify that the agent has the correct appliance_url set and that it is
reachable.
- You see an error in your Puppet logs that looks something like:
Error: Failed to apply catalog: Conjur server error: Unauthorized
This is usually due to credential values being incorrect for the target Conjur server.
Verify that authn_login_id, authn_api_key, and account are
correct for the server that you are trying to connect to.
- You see an error in your Puppet logs that looks something like:
Warning: Could not find any pre-populated Conjur credentials in WinCred storage for https://conjur.cyberark.com ... Error: Failed to apply catalog: Conjur server error: POST data to https://conjur.cyberark.com/authn/myaccount//authenticate must not be empty!
This issue is caused by Windows Credentials not having the matching crednetial for the server endpoint configured in the registry.
Ensure that you have the correct credentials set in Windows Credentials for the
appliance_url configured in Windows Registry.
- You see an error in your Puppet logs that looks something like:
Debug: Fetching Conjur secret 'inventoryy/db-password'... ... Error: Failed to apply catalog: Conjur server error: Not Found
The variable requested cannot be found, is not set, or you do not have permissions to access it.
Ensure that the variable at the reuested ID exists, has a value, and that the user configured has the permissions to retrieve it.
- You see an error in your Puppet logs that looks something like:
Error: Failed to apply catalog: Conjur server error: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)
The provided Conjur SSL signing certificate is either incorrect, invalid, or malformed.
Ensure that ssl_certificate or cert_file correctly specifies the certificate
that can be used to validate the Conjur SSL certificate. Also ensure that
none of the certificates in the chain are expired as seen by the agent machine.
- You see an error in your Puppet logs that looks something like:
Error: Failed to apply catalog: Cert file '/path/to/conjur_ca.crt' cannot be found!
This issue is caused by the module being unable to parse the provided cert_file
parameter target.
Ensure that the path specified in cert_file parameter is valid and that it is
readable by the process that is running the puppet agent.
- You see an error in your Puppet logs that looks something like:
Error: Failed to apply catalog: Value of 'authn_api_key' must be wrapped in 'Sensitive()'!
Parameter authn_api_key was not wrapped in Sensitive() class.
Wrap the authn_api_key in Sensitive():
$db_password = Deferred(conjur::secret, ['inventory/db-password', {
...
authn_api_key => Sensitive('actual_api_key_value'),
...
}])If using Hiera, add this section to your variables used:
lookup_options:
'^conjur::authn_api_key':
convert_to: 'Sensitive'