homebloginstalling gems windows puppet

Installing gems on Windows with Puppet

If you need to access or make changes to the Ruby runtime that ships with the Puppet Windows Installer Package (known as the MSI) to install Ruby gems, there are a couple of common ways:

  • Interactively, via the Start Command Prompt with Puppet shortcut and the gem install command. This tends to be used for testing, given changes impact only the current system.
  • By using the package type with the gem provider in a Puppet manifest, which may impact many systems:

package { 'retries': provider => 'gem' }

This can be necessary to enable Puppet modules to function, when those modules depend on code from a Ruby gem that is not included with the puppet-agent MSI. This most commonly happens with the AWS, Azure or vSphere modules.

You may have noticed that installing gems on Windows has been failing since rubygems.org upgraded its SSL certificate to a more secure format on 6 October 2016, due to the fact that the Root CA came from a new issuer. Agents prior to the puppet-agent-1.6.0 agent could be experiencing errors like this:

In the puppet-agent MSI prior to 1.6.0, the RubyGems included with the Puppet Ruby distribution use a default configuration of trusting only six Root CAs. Unfortunately, the new CA GlobalSign is not included. In puppet-agent 1.6.0 and newer, Puppet began shipping a CA bundle that includes the 150-plus trusted Root CAs derived from the actively maintained Mozilla list, and ensures that the OpenSSL Ruby relies on is configured to use this bundle. Since the new issuing Root CA from GlobalSign has always been included, 1.6.0+ agents are not impacted.

Fortunately, Puppet itself can be used to add the GlobalSign Root CA to the appropriate directory on older versions of Puppet, using the following manifest:

Note that for compatibility reasons, this manifest requires at least Puppet 3.5 (released in April 2014) to run. Upon removal or upgrade of the Puppet MSI, this file will remain in place.

Ethan J. Brown is a principal software engineer at Puppet.

Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.