Puppet Plans using conjur::secret function

I’m trying to use the conjur::secret function to acquire a secret from Conjur in a Puppet Plan and I’m getting an the following error:

“msg” : “cert already in hash table”,
“kind” : “bolt/pal-error”,

The code is:

$username = conjur::secret(“${user_creds_path}/username”)

I’m using Puppet Enterprise 2021.6 and Puppet Forge Conjur Module 3.1.0.

@frank.mundt,

Our Conjur Module v3.1.0 is only tested and supported for Puppet Enterprise 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x. So, I cannot attest to the working state of the module for 2021.6.

Regardless, it is my understanding that the Variable ID and any Options must be defined in an array. Also, the module requires the use of Deferred functions. So, for the example you provided, it would be:

$variableId = "${user_creds_path}/username"
$username = Deferred(conjur::secret, [$variableId])

Finally, how are you providing Puppet the Conjur service information such as Appliance URL, Host ID, etc? Acceptable ways are to define it in the manifest, use files on the Linux filesystem (.netrc files), or by using Hiera to provide it. This information can be found here.

Joe - this is a special case. In this solution the secret is being accessed using the identity of the Puppet Compile server, so the defer of the execution of the function to the node is not required. The code the example works in a Puppet Class, it does not work in a Puppet Plan. It could be that the function just not available to the Puppet Plan.

We have been using Conjur V3.1.0 in Puppet 2021.6 for over 6 months without issues. The environment variables to find the identity and config files are set for the Puppet agent to use. We have the defer function used in many locations.

We are seeing this issue in regular usage now as well. I’m wondering it this helps determine the root cause: (PUP-5588) Prevent Windows duplicate cert loads · puppetlabs/puppet@35572a9 · GitHub.

Could it be that the module is trying to load the ca.pem from the conjur.conf file and it’s already in the default store?

We have determined the root cause and corrected the issue. The ‘conjur.pem’ file on the server was configured incorrectly. The root CA was duplicated rather than having the issuing authority and root certs.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.