Accessing the console

The console is the web interface for Puppet Enterprise.

Use the console to:

  • Manage node requests to join the Puppet deployment.
  • Assign Puppet classes to nodes and groups.
  • Run Puppet on specific groups of nodes.
  • View reports and activity graphs.
  • Browse and compare resources on your nodes.
  • View package and inventory data.
  • Manage console users and their access privileges.

Reaching the console

The console is served as a website over SSL, on whichever port you chose when installing the console component.

Let's say your console server is If you chose to use the default port (443), you can omit the port from the URL and reach the console by navigating to

If you chose to use port 8443, you reach the console at

Remember: Always use the https protocol handler. You cannot reach the console over plain http.

Accepting the console's certificate

The console uses an SSL certificate created by your own local Puppet certificate authority. Because this authority is specific to your site, web browsers won't know it or trust it, and you must add a security exception in order to access the console.

Adding a security exception for the console is safe to do. Your web browser warns you that the console's identity hasn't been verified by one of the external authorities it knows of, but that doesn't mean it's untrustworthy. Because you or another administrator at your site is in full control of which certificates the Puppet certificate authority signs, the authority verifying the site is you.

When your browser warns you that the certificate authority is invalid or unknown:

  • In Chrome, click Advanced, then Proceed to <CONSOLE ADDRESS>.

  • In Firefox, click Advanced, then Add exception.

  • In Internet Explorer or Microsoft Edge, click Continue to this website (not recommended).

  • In Safari, click Continue.

Logging in

Accessing the console requires a username and password.

If you are an administrator setting up the console or accessing it for the first time, use the username and password you chose when you installed the console. Otherwise, get credentials from your site's administrator.

Because the console is the main point of control for your infrastructure, it is a good idea to prohibit your browser from storing the login credentials.

Generate a user password reset token

When users forget passwords or lock themselves out of the console by attempting to log in with incorrect credentials too many times, you need to generate a password reset token.

  1. In the console, on the Access control page, click the Users tab.
  2. Click the name of the user who needs a password reset token.
  3. Click Generate password reset. Copy the link provided in the message and send it to the user.

Reset the console administrator password

If you're unable to log in to the console as admin, you can change the password from the command line of the node running console services.

Log in as root to the node running console services (usually your primary server) and reset the console admin password:
puppet infrastructure console_password --password=<MY_PASSWORD>

Troubleshooting login to the PE admin account

If your directory contains multiple users with a login name of "admin," the PE admin account is unable to log in.

If you are locked out of PE as the admin user and there are no other users with administrator access who you can ask to reset the access control settings in the console, SSH into the box and use curl commands to reset the directory service settings.

For a box named centos7 the curl call looks like this:

type_header='Content-Type: application/json'
cert="$(puppet config print hostcert)"
cacert="$(puppet config print localcacert)"
key="$(puppet config print hostprivkey)"
uri="https://$(puppet config print server):4433/rbac-api/v1/ds"

curl --header "$type_header" --cert "$cert" --cacert "$cacert" --key "$key" --request PUT "$uri" --data "$data"

See Usage notes for curl examples for information about forming curl commands.

Create a custom login disclaimer

Add a custom banner users see on the login page when accessing the console. For example, add a disclaimer about authorized or unauthorized use of private information that is accessible in the console.

  1. Create a disclaimer.txt file containing the disclaimer content.
  2. Add the document to /etc/puppetlabs/console-services
    Note: You can use the console to change the path for the disclaimer file by configuring the puppet_enterprise::profile::console::disclaimer_content_path.
  3. Log in to the console to view the new banner.