# Troubleshooting Puppet on Windows

## Tips

### Process Explorer

We recommend installing Process Explorer and configuring it to replace Task Manager. This will make debugging significantly easier.

### Logging

As of Puppet 2.7.x, messages from the puppetd log file are available via the Windows Event Viewer (choose “Windows Logs” > “Application”). To enable debugging, stop the puppet service and restart it as:

c:\>sc stop puppet && sc start puppet --debug --trace


Puppet’s windows service component also writes to the windows.log within the same log directory and can be used to debug issues with the service.

## Common Issues

The Puppet MSI package will overwrite an existing entry in the puppet.conf file. As a result, if you uninstall the package, then reinstall the package using a different puppet master hostname, Puppet will apply the new value in $confdir\puppet.conf. Be sure to use the same master hostname when installing/upgrading. In general, we’ve taken the approach of preserving configuration data on the system when doing an upgrade, uninstall or reinstall. To fully clean out a system make sure to delete the confdir and vardir. Similarly, the MSI will not overwrite the custom facts written to the PuppetLabs\facter\facts.d directory. ### Unattended installation Puppet may fail to install when trying to perform an unattended install from the command line, e.g. msiexec /qn /norestart /i puppet.msi  To get troubleshooting data, specify an installation log, e.g. /l*v install.txt. Look in the log for entries like the following: MSI (s) (7C:D0) [17:24:15:870]: Rejecting product '{D07C45E2-A53E-4D7B-844F-F8F608AFF7C8}': Non-assigned apps are disabled for non-admin users. MSI (s) (7C:D0) [17:24:15:870]: Note: 1: 1708 MSI (s) (7C:D0) [17:24:15:870]: Product: Puppet -- Installation failed. MSI (s) (7C:D0) [17:24:15:870]: Windows Installer installed the product. Product Name: Puppet. Product Version: 2.7.12. Product Language: 1033. Manufacturer: Puppet Labs. Installation success or error status: 1625. MSI (s) (7C:D0) [17:24:15:870]: MainEngineThread is returning 1625 MSI (s) (7C:08) [17:24:15:870]: No System Restore sequence number for this installation. Info 1625.This installation is forbidden by system policy. Contact your system administrator.  If you see entries like this you know you don’t have sufficient privileges to install puppet. Make sure to launch cmd.exe with the Run as Administrator option selected, and try again. ## File Paths ### Path Separator Make sure to use a semi-colon (;) as the path separator on Windows, e.g., modulepath=path1;path2 ### File Separator In most resource attributes, the Puppet language accepts either forward- or backslashes as the file separator. However, some attributes absolutely require forward slashes, and some attributes absolutely require backslashes. See the relevant section of Writing Manifests for Windows for more information. ### Backslashes When backslashes are double-quoted(“), they must be escaped. When single-quoted (‘), they may be escaped. For example, these are valid file resources: file { 'c:\path\to\file.txt': } file { 'c:\\path\\to\\file.txt': } file { "c:\\path\\to\\file.txt": }  But this is an invalid path, because \p, \t, \f will be interpreted as escape sequences: file { "c:\path\to\file.txt": }  ### UNC Paths UNC paths are supported for package resources on Windows as of Puppet 2.7.12, using the typical \\servername\directory\package.msi format. Support for UNC paths for file resources was added in Puppet 3.4.0. ### Case-insensitivity Several resources are case-insensitive on Windows (file, user, group). When establishing dependencies among resources, make sure to specify the case consistently. Otherwise, puppet may not be able to resolve dependencies correctly. For example, applying the following manifest will fail, because puppet does not recognize that FOOBAR and foobar are the same user: file { 'c:\foo\bar': ensure => directory, owner => 'FOOBAR' } user { 'foobar': ensure => present } ... err: /Stage[main]//File[c:\foo\bar]: Could not evaluate: Could not find user FOOBAR  ### Diffs Puppet does not show diffs on Windows (e.g., puppet agent --show_diff) unless a third-party diff utility has been installed (e.g., msys, gnudiff, cygwin, etc) and the diff setting has been set appropriately. ## Resource Errors and Quirks ### Exec When declaring a Windows exec resource, the path to the resource typically depends on the %WINDIR% environment variable. Since this may vary from system to system, you can use the path fact in the exec resource: exec { 'cmd.exe /c echo hello world': path =>$::path
}


### Shell Builtins

Puppet does not currently support a shell provider on Windows, so executing shell builtins directly will fail:

exec { 'echo foo':
path => 'c:\windows\system32;c:\windows'
}
...
err: /Stage[main]//Exec[echo foo]/returns: change from notrun to 0 failed: Could not find command 'echo'


Instead, wrap the builtin in cmd.exe:

exec { 'cmd.exe /c echo foo':
path => 'c:\windows\system32;c:\windows'
}


Keep in mind that in 32-bit versions of Puppet, you may be subject to file system redirection (where system32 is switched to sysWOW64 automatically by Windows). We have ways of dealing with the redirection.

Or, better still, use the tip from above:

exec { 'cmd.exe /c echo foo':
path => $::path }  ### Powershell By default, powershell enforces a restricted execution policy which prevents the execution of scripts. Consequently, make sure to specify the appropriate execution policy in the powershell command: exec { 'test': command => 'powershell.exe -executionpolicy remotesigned -file C:\test.ps1', path =>$::path
}


### Package

The source of an MSI or EXE package must be a file on either a local filesystem, a network mapped drive, or a UNC path. It does not support URI-based sources, though you can achieve a similar result by defining a file whose source is the puppet master and then defining a package whose source is the local file.

### Service

Windows services support a short name and a display name. Make sure to use the short name in puppet manifests. For example use wuauserv, not Automatic Updates. You can use sc query to get a list of services and their various names.

## Error Messages

• Error: Could not connect via HTTPS to https://forge.puppetlabs.com / Unable to verify the SSL certificate / The certificate may not be signed by a valid CA / The CA bundle included with OpenSSL may not be valid or up to date

This can occur when you run the puppet module subcommand on newly provisioned Windows nodes.

The Puppet Forge uses an SSL certificate signed by the GeoTrust Global CA certificate. Newly provisioned Windows nodes may not have that CA in their root CA store yet.

You have two options for fixing this. Choose one:

• Download the “GeoTrust Global CA” certificate from GeoTrust’s list of root certificates and manually install it by running certutil -addstore Root GeoTrust_Global_CA.pem.
• Service 'Puppet Agent' (puppet) failed to start. Verify that you have sufficient privileges to start system services.

This can occur when installing puppet on a UAC system from a non-elevated account. Although the installer displays the UAC prompt to install puppet, it does not elevate when trying to start the service. Make sure to run from an elevated cmd.exe process when installing the MSI.

• Cannot run on Microsoft Windows without the sys-admin, win32-process, win32-dir, win32-service and win32-taskscheduler gems.

Puppet requires the indicated Windows-specific gems, which can be installed using gem install <gem>

• err: /Stage[main]//Scheduled_task[task_system]: Could not evaluate: The operation completed successfully.

This error can occur when using version < 0.2.1 of the win32-taskscheduler gem. Run gem update win32-taskscheduler

• err: /Stage[main]//Exec[C:/tmp/foo.exe]/returns: change from notrun to 0 failed: CreateProcess() failed: Access is denied.

This error can occur when requesting an executable from a remote puppet master that cannot be executed. For a file to be executable on Windows, set the user/group executable bits accordingly on the puppet master (or alternatively, specify the mode of the file as it should exist on the Windows host):

  file { "C:/tmp/foo.exe":
source => "puppet:///modules/foo/foo.exe",
}

exec { 'C:/tmp/foo.exe':
logoutput => true
}

• err: getaddrinfo: The storage control blocks were destroyed.

This error can occur when the agent cannot resolve a DNS name into an IP address (for example the server, ca_server, etc properties). To verify that there is a DNS issue, check that you can run nslookup <dns>. If this fails, there is a problem with the DNS settings on the Windows agent (for example, the primary dns suffix is not set). See http://technet.microsoft.com/en-us/library/cc959322.aspx

This error can also occur if the reverse DNS entry for the agent is wrong.

• err: /Stage[main]//Group[mygroup]/members: change from to Administrators failed: Add OLE error code:8007056B in <Unknown> <No Description> HRESULT error code:0x80020009 Exception occurred.

This error will occur when attempting to add a group as a member of another local group, i.e. nesting groups.

This only applies to Puppet versions prior to 3.4.0. If you get this error, upgrade Puppet to a newer version.

• err: /Stage[main]//Package[7zip]/ensure: change from absent to present failed: Execution of 'msiexec.exe /qn /norestart /i "c:\\7z920.exe"' returned 1620: T h i s i n s t a l l a t i o n p a c k a g e c o u l d n o t b e o p e n e d . C o n t a c t t h e a p p l i c a t i o n v e n d o r t o v e r i f y t h a t t h i s i s a v a l i d W i n d o w s I n s t a l l e r p a c k a g e .

This error can occur when attempting to install a non-MSI package on Puppet versions prior to 3.0. Puppet 2.7 and earlier only support MSI packages. To install non-MSI packages, use an exec resource with an onlyif parameter or upgrade to Puppet 3 and use the windows package provider, which supports executable installers.

• err: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.

This error is usually a sign that the master has already issued a certificate to the agent. This can occur if the agent’s SSL directory is deleted after it has retrieved a certificate from the master, or when running the agent in two different security contexts. For example, running puppet agent as a service and then trying to run puppet agent from the command line with non-elevated security. Specifically, this would happen if you’ve selected Start Command Prompt with Puppet but did not elevate privileges using Run as Administrator.

• err: Could not evaluate: Could not retrieve information from environment production source(s) puppet://puppet.domain.com/plugins.

This error will be generated when a Windows agent does a pluginsync from the Puppet master server, when the latter does not contain any plugins. Note that pluginsync is enabled by default on Windows. This is a known bug in 2.7.x, see https://projects.puppetlabs.com/issues/2244.

• err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client.

Windows agents that are part of an Active Directory domain should automatically have their time synchronized with AD. For agents that are not part of an AD domain, you may need to enable and add the Windows time service manually:

  w32tm /register
net start w32time
w32tm /config /manualpeerlist:<ntpserver> /syncfromflags:manual /update
w32tm /resync

• err: You cannot service a running 64-bit operating system with a 32-bit version of DISM. Please use the version of DISM that corresponds to your computer's architecture.

If you are running a 32-bit version of Puppet on a 64-bit versions of Windows, Windows will redirect all file system access from %windir%\system32 to %windir%\SysWOW64 instead. This happens if you are using Windows Server 2003, which is compatible only with 32-bit Puppet, or if you are using a version of Puppet older than 3.7.

When attempting to configure Windows roles and features using dism.exe, make sure to use the 64-bit version. This can be done by executing c:\windows\sysnative\dism.exe, which will prevent file system redirection. See Language: Handling File Paths on Windows for more information about file system redirection in Windows 2003.

• “Error: Could not parse for environment production: Syntax error at ‘=’; expected ‘}’”

This error will usually occur if puppet apply -e is used from the command line and the supplied command is surrounded with single quotes (‘), which will cause cmd.exe to interpret any => in the command as a redirect. To solve this surround the command with double quotes (“) instead. See https://projects.puppetlabs.com/issues/20528.

### File (pre-3.4.0)

If the owner and/or group are specified in a file resource on Windows, the mode must also be specified. So this is okay:

file { 'c:/path/to/file.bat':
ensure => present,
mode   => 0770
}


But this is not:

file { 'c:/path/to/file.bat':
ensure => present,

takeown /f c:/path/to/file.bat && icacls c:/path/to/file.bat /reset