You get a 403 error during the Puppet Enterprise machineProvisioned workflow with an error like this:
ERROR [qtp1589934470-130870] [p.t.a.rules] Forbidden request: vro-plugin-user(10.15.143.18) access to /puppet-ca/v1/certificate_status/csc2cxn00020026.cloud.kp.org (method :put) (authenticated: true) denied by rule 'puppetlabs certificate status'.
Puppet Enterprise 2019+
Workaround or Solution
Find the certificate_status path in auth.conf
On the puppet master cd to /etc/puppetlabs/puppetserver/conf.d/
The rule for /puppet-ca/v1/certificate_status should allow your vrosvc certificate for get, put and delete.
The section you're looking for should look something like this (see image below)
Modify auth.conf file
if the section for path puppet-ca/v1/certificate_status doesn’t contain the vrosvc certificate under the allow section, add it and save the file.
restart pe-puppetserver.service and pe-console-services.service
If any other 403 error messages show up on any other paths, look for them in auth.conf and make sure your certificate is allowed for that path as well.
Include links to outside source articles or reference material if applicable