Puppet Enterprise 2017.3

Use this reference to troubleshoot error messages when using Windows with Puppet.

  • "Error: Could not connect via HTTPS to https://forge.puppet.com / Unable to verify the SSL certificate / The certificate may not be signed by a valid CA / The CA bundle included with OpenSSL may not be valid or up to date"

    This error occurs when you run the puppet module subcommand on newly provisioned Windows nodes. The Forge uses an SSL certificate signed by the GeoTrust Global CA certificate. Newly provisioned Windows nodes may not have that CA in their root CA store yet.

    Download the "GeoTrust Global CA" certificate from GeoTrust's list of root certificates and manually install it by running certutil -addstore Root GeoTrust_Global_CA.pem.

  • "Service 'Puppet Agent' (puppet) failed to start. Verify that you have sufficient privileges to start system services."

    This error occurs when installing Puppet on a UAC system from a non-elevated account. Although the installer displays the UAC prompt to install Puppet, it does not elevate privileges when trying to start the service.

    Run from an elevated cmd.exe process when installing the MSI.

  • "Cannot run on Microsoft Windows without the sys-admin, win32-process, win32-dir, win32-service and win32-taskscheduler gems."

    This error occurs if you attempt to run Windows without required gems.

    Install specified gems: gem install <GEM_NAME>

  • "err: /Stage[main]//Scheduled_task[task_system]: Could not evaluate: The operation completed successfully."

    This error occurs when using a the task scheduler gem earlier than version 0.2.1.

    Update the task scheduling gem: gem update win32-taskscheduler

  • "err: /Stage[main]//Exec[C:/tmp/foo.exe]/returns: change from notrun to 0 failed: CreateProcess() failed: Access is denied."

    This error occurs when requesting an executable from a remote Puppet master that cannot be executed.

    Set the user/group executable bits appropriately on the master:

    file { "C:/tmp/foo.exe":
      source => "puppet:///modules/foo/foo.exe",
    exec { 'C:/tmp/foo.exe':
      logoutput => true
  • "err: getaddrinfo: The storage control blocks were destroyed."

    This error occurs when the agent can't resolve a DNS name into an IP address or if the reverse DNS entry for the agent is wrong.

    Verify that you can run nslookup <dns>. If this fails, there is a problem with the DNS settings on the Windows agent, for example, the primary dns suffix is not set. For more information, see Microsoft's documentation on Naming Hosts and Domains.

  • "err: Could not request certificate: The certificate retrieved from the master does not match the agent's private key."

    This error occurs if the agent's SSL directory is deleted after it retrieves a certificate from the master, or when running the agent in two different security contexts.

    Elevate privileges using Run as Administrator when you select Start Command Prompt with Puppet.

  • "err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client."

    This error occurs when Windows agents' time isn't synched. Windows agents that are part of an Active Directory domain automatically have their time synchronized with AD.

    For agents that are not part of an AD domain, enable and add the Windows time service manually:

    w32tm /register
    net start w32time
    w32tm /config /manualpeerlist:<ntpserver> /syncfromflags:manual /update
    w32tm /resync
  • "Error: Could not parse for environment production: Syntax error at '='; expected '}'"

    This error occurs if puppet apply -e is used from the command line and the supplied command is surrounded with single quotes ('), which causes cmd.exe to interpret any => in the command as a redirect.

    Surround the command with double quotes (") instead.

Back to top