• Ensure NTP is set up correctly
  • Functional DNS A record for Server Name. This module relies on DNS resolution of the target VM hostname from the vRO server.

Create Puppet Certificate and Update Puppet Console Configuration

Create the certificate on the Puppet CA that will be used for communication with the Puppet Console API and the Puppet CA API. This is the certificate that will be configured in your Puppet Master module for certificate authentication from the CMP to the Puppet console. In order for the Puppet console API to accept the certificate, the configurations below need to be made.

Perform the following for each Puppet Master:

In the following instructions, replace CERTNAME with the chosen cert name. We recommend vrosvc

1. SSH to the Puppet Master (as root, or an account that has sudo privileges)
2. su to root if needed
3. Create a certificate (replace CERTNAME with vrosvc)

puppet cert generate CERTNAME

4. Modify the certificate_authority.pp by typing in the following:

vi /opt/puppetlabs/puppet/modules/puppet_enterprise/manifests/profile/certificate_authority.pp

Find the following in the file and replace CERTNAME accordingly.
If the following section does not already exist, copy and paste into the header of the file:

class puppet_enterprise::profile::certificate_authority (
Array[String] $client_whitelist = [ CERTNAME ]

5. Save the file: Hit the esc key and then type in :wq

6. Modify auth.conf by typing in the following:

vi /etc/puppetlabs/puppetserver/conf.d/auth.conf

Find and replace CERTNAME in the file accordingly.
If the following section does not already exist, copy and paste into the header of the file:

  "allow" : [
  "match-request" : {
    "method" : [
    "path" : "/puppet-ca/v1/certificate_status",
    "query-params" : {},
    "type" : "path"
  "name" : "puppetlabs certificate status",
  "sort-order" : 500

7. Save the file: Hit the esc key and then type in :wq

8. Modify the rbac-certificate-whitelist by typing in the following:

vi /etc/puppetlabs/console-services/rbac-certificate-whitelist

Add the CERTNAME to the end of the file, where CERTNAME is the name identified in Step 3 (e.g.vrosvc) to the end of the file

9. Save the file: Hit the esc key and then type in :wq
10. Restart necessary services:

sudo service pe-console-services restart

root Credentials or sudo Elevated Privileges

On a monolithic Puppet Enterprise instance you will need root credentials (recommended) or credentials with sudo elevated privileges on the Puppet Master server.

If these are separate servers in your environment, you need root credentials or credentials with elevated privileges on these:

  • Puppet CA
  • Puppet Compile Master
  • Puppet database server
vRO must be able to authenticate to the Puppet Master and the other components as root or must be able to sudo to root to execute commands.
The root user can be authenticated using the password or with SSH keys.
The alternative is a service account that has been granted sudo permissions in sudoers.
The steps to setting up sudo permissions on the Puppet components can be quite involved and are not in the scope of this document.

Collect the appropriate keys from the Puppet Master Paste into a text editor or copy/paste directly into the SovLabs Puppet Master configuration form:

Type Location
API Certificate /etc/puppetlabs/puppet/ssl/certs/CERTNAME
Private Key Certificate /etc/puppetlabs/puppet/ssl/private_keys/CERTNAME
CA Certificate (used to sign the API cert) /etc/puppetlabs/puppet/ssl/ca/ca_crt
Replace CERTNAME accordingly (e.g. vrosvc)

Provisioning Windows VMs

If you plan to provision Windows VMs with Puppet Enterprise, you will need a method to connect to the VM to install the agent. You can choose to use the VMware Tools option or the WinRM option when you configure your SovLabs Foreman Agent configuration.

  1. Create a SovLabs vCenter Endpoint (required)
  2. Create the Puppet Agent with vmware-tools as the Connection Type on the Puppet Agent Configuration tab.

WinRM Option
To connect to a VM using WinRM, you must configure WinRM on the target server. We have provided a script that does all the needed configurations on the target to enable WinRM. Your environment may have GPOs that affect these permissions, so check with your Windows administrator for any questions on this.
  1. Download the activateWinRM.ps1
  2. Put the activateWinRM.ps1 script into a share OR incorporate it into your Windows Template in vCenter.
  3. In your Customization Specification, call the activateWinRM.ps1 script in the Run Once section

Using activateWinRM.ps1 from a share location

cmd /c powershell -executionpolicy Bypass -noninteractive -file //

Using a local copy of activateWinRM.ps1 in the template:

cmd /c powershell -executionpolicy Bypass -noninteractive -file c:\example_dir\activateWinRM.ps1