Troubleshooting cloud deployments

If you encounter issues with your PE cloud deployment, try these fixes.

Authentication fails with SSH username or credentials

Cloud providers vary in their support for SSH authentication.


AWS cloud deployments use cloud-init to provision an SSH key for the puppetadmin user, but disable root SSH access. You must specify a key pair when launching an AWS Marketplace image and connect it with the matching private key. For example, you can run:

aws ec2 run-instance --key-name <KEYPAIR_NAME> …
ssh -i ~/.ssh/<KEYPAIR_PRIVATE>.pem puppetadmin@<PRIMARY_HOSTNAME>


Azure cloud deployments support authenticating with either an SSH key pair or a user name and password. The private key must be the pair of the public key specified when you created the image.

After 60 days, the puppetadmin user account stops working

The default puppetadmin user’s password expires 60 days after the image is created. If you fail to reset the password, the account expires.

To prevent the password from expiring, run chage -E -1 puppetadmin on the primary server.

Agent run fails for non-root users

An agent run initiated by puppetadmin or any other non-root user fails when attempting to access certificates, packages, and services.

Always execute agent runs with super-user privileges:

sudo /usr/local/bin/puppet agent -t

Certificate-signing curl command has incorrect URL

The curl command on the console's Unsigned Certificates page contains a URL that uses your primary server's private hostname or internal DNS name, which won't work for nodes that can't resolve that name.

For example, the command might look like:

curl -k | sudo bash

Change the private hostname or internal DNS name to the public hostname or externally qualified domain name.