Issues Connecting to Sensu with puppet

Description of your problem

I am trying to create a puppet module that uses the sensu:sensu puppet module to connect to our sensu service. This will be used on a brand new puppet server. We currently have a production puppet server using older modules, the plan is to migrate our servers to the the new puppet server when I get it working.

I have copied the code from the old server, but it is not working on the new server and I think this is because I am using a newer sensu module and the code has changed.

Currently my code adds centos 7 servers to puppet but I get errors and I have read the documentation and searched forums for an answer but cannot resolve.

I am getting this error in the journal of the sensu-agent service :
{"component":"agent","error":"Error reading CA file: open /etc/sensu/ssl/ca.crt: permission denied","level":"error","msg":"reconnection attempt failed","time":"2023-04-14T13:28:40+12:00"}

I get this when I run puppet (message repeats several times - our internal domain is redacted)
Notice: Unable to connect to sensu_api server (https://******.******.com:8080): Failed to open TCP connection to *******.******.com:8080 (Connection refused - connect(2) for "******.******.com" port 8080)

Description of steps you’ve taken to attempt to solve the issue

I have change the mode on /etc/sensu/ssl/ca.crt on the agent server to 777 - this didnt make a difference.
I have read the readme for sensu puppet module, and tried various changes - Nothing has worked

Environmental information

Operating system information

Centos agent
Ubuntu Puppet server

Package versions

Sensu version 6.9.2
Sensu Puppet Plugin v5.11.1

My code:
` class { ‘sensu’:
api_host => ‘’,
user => ‘****’,
password => ‘***********’,


$my_config = {
‘backends’ => [‘’],
‘name’ => upcase(“${::hostname}”),
‘subscriptions’ => $sensu_subscriptions,
‘username’ => ‘',
‘password’ => '
‘agent-managed-entity’ => true,
‘labels’ => {‘region’ => “some-region” , ‘vm-host’ => “some-host”, ‘environment’ => “bobs-your-uncle”},

class { ‘sensu::agent’:
config_hash => $my_config,

Hey there, I think this is pointing to a separate issue from the puppet module connecting to the backend. Your agent doesn’t seem to have the CA file owned by the sensu user, so that should be a fairly straightforward fix.

As to this issue:

I’d validate that 1.) the sensu backend is running and 2.) you can actually connect to it.

Thanks Aaron - yes the backend is running and I can connect to it - this vm is showing up in the sensu console

Hey there,

So what does the actual rendered backend.yml look like once puppet’s done its thing? It sounds like it’s working (e.g., you’ve got an agent reporting in, you can do curls against the api like curl http://localhost:8080/health, the service is up and running). So it’s just puppet reporting that it can’t hit the API?

Hi Guys

This issue can be closed. I tracked the issue down and resolved. There were a number of things wrong, confusion as to which password to use, the wrong ssl certificate being used and also a couple of puppet plugs were not installed.

Thanks for your help on this one - it certainly pointed me in the correct direction.

1 Like