All HowTo's Ansible & Terraform Automation Linux Redhat, Fedora and CentOS Linux Web Servers

Install Puppet Server & Client on Redhat & CentOS 6

This article explains how to install the Puppet server (also known as the PuppetMaster) and client on a Redhat or CentOS server. Note that Puppet uses TCP ports 8140, 61613, and 443.

First add the Puppet repo on both the puppet client and server systems. The following link has several links depending on your distribution.

On the Puppet master, run these commands:

yum install puppetserver -y
chkconfig puppetserver on
service puppetserver start

On the master, you should have the following directory structure. It may be different from what you see here:


And on the client:

The client must know where the Puppet master is. You can use the “/etc/hosts” file. Puppet does rely on good DNS:

# is the puppet master server IP address puppet puppet.agix.local

Install and start services on the client:

yum install puppet -y
chkconfig puppet on
service puppet start

Get the client to check-in with the server:

puppet agent --test

TIP: if you get errors that you simply can’t solve, try issuing the following commands to delete your certificates from the puppet client. It shouldn’t be necessary but sadly it often is. Also make sure that you tell the server to accept the puppet client’s certificate. That’s documented in the next section.

rm /var/lib/puppet/ssl/certificate_requests/*
rm /var/lib/puppet/ssl/certs/*

And you should run the following command:

puppet agent --test

On the server, issue the following command to accept the pending client certificate:

puppet cert sign

If you get nothing from the above command, check the firewall(s), check the DNS and check that the Puppet Master is running.

At this point you have a working Puppet client and server. However, there is nothing for the Puppet Master to instruct the client to do. So lets force the client to install the “nmap” program – as an example.

On the server, create the following directory if it doesn’t already exit:

mkdir /etc/puppet/manifests

Now create the manifest file “/etc/puppet/manifests/site.pp” and put the following into that file. TIP: make sure to use the FQDN of the client on the ‘node’ line.

node '' {
        include nmap
        include apache

class nmap {
        package { "nmap":
                ensure => "5.51",
class apache {
        package { "httpd":
                ensure => "2.2.154",
        service { "httpd":
                ensure => running,
                enable => true,

Restart the master:

service puppetmaster restart

You can also install packages that require RPM’s to be installed first:

class varnish {
        exec { "varnish-source":
                command => "/bin/rpm -Uvh",
        package { "varnish":
                ensure => "3.0.4",
        service { "varnish":
                ensure => running,
                enable => true,

Because puppet is so likely to fail because of the SSL side of things, i’ve included my commands below along with some errors and what i did about it:

[root@client ~]# nmap
-bash: nmap: command not found
[root@client ~]# puppet agent --test
Exiting; no certificate found and waitforcert is disabled
[root@client ~]# rm /var/lib/puppet/ssl/certificate_requests/*
[root@client ~]# rm /var/lib/puppet/ssl/certs/*
[root@client ~]# puppet agent --test
info: Caching certificate for ca
info: Creating a new SSL certificate request for
info: Certificate Request fingerprint (md5): 40:D6:15:3A:72:96:D2:33:45:B3:5B:4B:8E:C1:A7:35
Exiting; no certificate found and waitforcert is disabled

And then on the puppet server:

[root@server]# puppet cert sign

And back on the client:

[root@client ~]# puppet agent --test
info: Caching certificate for
info: Caching certificate_revocation_list for ca
info: Caching catalog for
info: Applying configuration version '1392031971'
err: /Stage[main]/Nmap/Package[nmap]/ensure: change from absent to 5.51 failed: Could not update: Failed to update to version 5.51, got version 5.51-3.el6 instead at /etc/puppet/manifests/site.pp:17
notice: Finished catalog run in 39.83 seconds
[root@client ~]# nmap -V
Nmap 5.51 ( )