Puppet Enterprise - 403 Forbidden request error during Puppet run


You get a 403 error during the Puppet Enterprise machineProvisioned workflow with an error like this:

ERROR [qtp1589934470-130870] [p.t.a.rules] Forbidden request: vro-plugin-user( access to /puppet-ca/v1/certificate_status/csc2cxn00020026.cloud.kp.org (method :put) (authenticated: true) denied by rule 'puppetlabs certificate status'.

Affected Versions

  • Puppet Enterprise 2019+

Workaround or Solution


Find the certificate_status path in auth.conf

  1. On the puppet master cd to /etc/puppetlabs/puppetserver/conf.d/

  2. vi auth.conf

  3. The rule for /puppet-ca/v1/certificate_status should allow your vrosvc certificate for get, put and delete.

    The section you're looking for should look something like this (see image below)

Modify auth.conf file

  1. if the section for path puppet-ca/v1/certificate_status doesn’t contain the vrosvc certificate under the allow section, add it and save the file.

  2. restart pe-puppetserver.service and pe-console-services.service

If any other 403 error messages show up on any other paths, look for them in auth.conf and make sure your certificate is allowed for that path as well.

Additional information

Include links to outside source articles or reference material if applicable

Have more questions? Submit a request


Please sign in to leave a comment.