Puppet decryption errors in vRO Workflow


When you run your puppet workflow the logs may show something similar to this:

[2020-02-07 20:07:51.632] [E] An error occured -->: last block incomplete in decryption (Workflow :Puppet Enterprise machineProvisioned / Install Puppet node (item8)#6)
[2020-02-07 20:07:51.633] [E] SovLabs Puppet Enterprise response: undefined


This can be caused due to changes to your certificates or for some reason vRO is unable to decrypt these values. These are stored in vRO as encrypted.

Affected Versions

  • All versions

Workaround or Solution


Re entering the keys from your puppet server should resolve your issues
The originals can often be sourced from your Puppet Master as follows: (http://docs.sovlabs.com/latest/vRA/7.6/modules/configuration-mgmt/puppet-enterprise/prerequisites/#puppet-authentication-certificate )

Quick Reference of location on your puppet server:

API CERT : cat /etc/puppetlabs/puppet/ssl/certs/vrosvc.pem
API RSA PRIVATE KEY : cat /etc/puppetlabs/puppet/ssl/private_keys/vrosvc.pem
API CA CERTIFICATE : cat /etc/puppetlabs/puppet/ssl/certs/ca.pem

If you are using an alternative certificate name, replace the vrosvc portion of the filename. Copying the output of each of these commands into the respective fields and saving the SovLabs configuration should resolve your issue.

Updating you certificates in your SovLabs Puppet Master Configuration

  1. In vRA, click on Deployments (1) then under components place a check next to SovLabs Puppet (2)

  2. Under Deployments locate you PuppetMaster Configuration (1) and then click on Actions (2) and select Update Puppet master Config (3)

  3. In the SovLabs Puppet Enterprise Module, click on the heading Certificate Configuration

  4. Under the heading Certificate PEM files.  This is the section that you will need to copy in the keys for each certificate type
    (See: http://docs.sovlabs.com/latest/vRA/7.6/modules/configuration-mgmt/puppet-enterprise/prerequisites/#puppet-authentication-certificate for information on certificate locations)

  5. Once updated click on Submit

  6. Test a deployment and verify the deployments are now deploying as required.

Additional information

SovLabs Puppet Authentication Certificates : http://docs.sovlabs.com/latest/vRA/7.6/modules/configuration-mgmt/puppet-enterprise/prerequisites/#puppet-authentication-certificate

Have more questions? Submit a request


Please sign in to leave a comment.