I am using two Virtual Machines sat on a single server. One VM is my Puppet Master(puppet server) and the other is my Puppet Agent. I am using PCKS7 RSA encryption to pass a secret token to my Puppet agent from the Puppet Master. I am using an .eyaml file within my control repository to keep the encrypted token in.
How I am encrypting the token:
I first start off with creating the keys for eyaml on the Puppet master. To do this I run:
/opt/puppetlabs/puppet/bin/eyaml create keys --pkcs7-private-key=/etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem --pkcs7-public-key=/etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem
Once I have run that I then go and change the permissions of the directory and the files, to do this I run the following three commands:
chown -r puppet:puppet /etc/puppetlabs/puppet/eyaml
chmod -r 0500 /etc/puppetlabs/puppet/eyaml
chmod 0400 /etc/puppetlabs/puppet/eyaml/*.pem
From here I am then ready to encrypt the token. For this I run the following command but with the key and value filled in:
/opt/puppetlabs/puppet/bin/eyaml encrypt -l 'insert key to be encrypted here' -s 'insert value to be encrypted here' --pkcs7-private-key=/etc/puppetlabs/puppet/eyaml/private_key.pkcs7.pem --pkcs7-public-key=/etc/puppetlabs/puppet/eyaml/public_key.pkcs7.pem
I then take the encrypted value and place it in my eyaml file within my control repository /contol-repo/data/secrets/nodes/example.example.com.eyaml
This file then looks something like:
---
letsencrypt::plugin::dns_cloudflare::api_token: ENC[PKCS7,<Encryption here>/Sc=]
letsencrypt::plugin::dns_cloudflare::email: '[email protected]'
Deploying the Code:
I am using r10k as well, so if I have made changes to the control-repo each time I pull from github after I will run r10k deploy environment production -pv
Once I have run that I then go a head and run puppet agent -t --no-noop on the Puppet Master. Once that has run and succeeded I then go over to my puppet agent and run the same command puppet agent -t --no-noop . This time I find my self with an RSA cipher error.
The Error that I am seeing is the following:
Info: Using environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error: hiera-eyaml backend error decrypting ENC[PKCS7,<Encyption here>Sc=] when looking up letsencrypt::plugin::dns_cloudflare::api_token in /etc/puppetlabs/code/environments/production/data/secrets/nodes/example.example.com.eyaml. Error was input too large for RSA cipher. on node example.example.com
I have had this working in the past with the exact same process as I have placed above.
Any help on how I can resolve this would be greatly appreciated, I have been trying to work out the best way to resolve this but I am unsure. Thank you.