Puppet Enterprise 2.7 - Error 400 on Server - Error 403 on Server - Can't puppet agent -t without the following error?

Question

Running into an issue using two VM's running REL6. I set up the master and agent correctly and was able to cert the agent. When I go to run:

puppet agent -t

On the agent, I receive the following error:

info: Retrieving plugin
info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/root_home.rb
info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/concat_basedir.rb
info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/custom_auth_conf.rb
info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/facter_dot_d.rb
info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/puppet_vardir.rb
info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/pe_version.rb
err: Could not retrieve catalog from remote server: Error 400 on SERVER: Error 403 on
SERVER: Forbidden request: <MASTER>(IPAddress) access to /facts/<AGENT> [save]
authenticated  at line 56
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

So I went into the Auth.conf file on the master to play with a few things:

path ~ ^/catalog/([^/]+)$
method find
auth yes
allow $1

path ~ ^/node/([^/]+)$
method find
auth yes
allow $1

path  /certificate_revocation_list/ca
method find
auth yes
allow *

path  /report
method save
auth yes
allow *

path  /file
auth yes
allow *

path  /certificate/ca
method find
auth any
allow *

path  /certificate/
method find
auth any
allow *

path  /certificate_request
method find, save
auth any
allow *

path  /certificate_status
method find, search, save, destroy
auth yes
allow pe-internal-dashboard

path  /
auth any

Within the above code, I've added the following, but with no prevail:

path /facts/
auth any
method find, search
allow *

I've looked high and low all over and I can't seem to find out what the problem is. If anyone has any idea on how to fix this issue, I'd be greatly appreciative.

Thanks again!

Answer 1

Make sure that the section allowing access to facts:

path /facts
auth any
method find, search
allow *

appears before

# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any

As can be seen by the comment, this effectively denies access to everything else, so it should appear the last.

Also, make sure you check the section "Enabling Inventory Support" in the Puppet Dashboard Configuration Manual for other changes you might need to make to your files.

Answer 2

When you run sudo ./puppet-enterprise-install you MUST answer y or accept the default to this question:

-> console

The console is a web interface for viewing reports, classifying nodes, directly managing resources, controlling Puppet runs, and invoking MCollective agents.
It should usually be installed on the puppet master server, but can also installed separately.

?? Install the console? [Y/n] 

Also try and have mysql root account setup so you know the password for the root@localhost mysql account.