The Puppet agent is a crucial component in a Puppet-managed infrastructure, responsible for applying configurations from the Puppet master. However, when the agent fails with the error “Exiting; no certificate found and waitforcert is disabled,” it can disrupt the automation process. This error indicates that the Puppet agent cannot find a valid SSL certificate and that it is not set to wait for the certificate to be signed by the Puppet master.
In this tutorial you will learn:
- Understanding the “No Certificate Found” Error
- How to Enable waitforcert in Puppet Agent
- Manually Signing Puppet Agent Certificates
- Configuring Auto-Signing of Certificates
- Troubleshooting Hostname and DNS Issues
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Linux/Unix system |
| Software | Puppet agent and Puppet master |
| Other | Basic knowledge of Puppet and SSL certificates |
| Conventions | # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
Understanding the “No Certificate Found” Error
When the Puppet agent starts, it attempts to establish a secure communication channel with the Puppet master by using SSL certificates. The agent generates a certificate signing request (CSR) and sends it to the master, which then needs to sign the certificate. The error “Exiting; no certificate found and waitforcert is disabled” occurs when the agent does not receive the signed certificate and is configured not to wait for it. This can happen for several reasons, such as misconfigurations or network issues.
- Enabling waitforcert in Puppet Agent: The `waitforcert` setting in Puppet controls how long the agent will wait for the Puppet master to sign its certificate. By enabling this setting, you allow the agent to wait for a specified time before giving up.
[agent] waitforcert = 60
In the example above, the Puppet agent will wait for 60 seconds for the certificate to be signed. This setting can be added or modified in the
puppet.conffile, typically located in/etc/puppetlabs/puppet/puppet.confor/etc/puppet/puppet.conf. - Manually Signing Puppet Agent Certificates: If the `waitforcert` option is disabled, you can manually sign the agent’s certificate on the Puppet master.
# puppetserver ca list --all # puppetserver ca sign --certname AGENT_CERTNAME OR SING ALL # puppet cert sign --all
This process involves checking for pending certificate requests and manually signing the specific certificate for the agent, where
AGENT_CERTNAMEis the hostname of the agent requesting the certificate. - Configuring Auto-Signing of Certificates: In trusted environments, you can configure the Puppet master to automatically sign certificates for specific agents, reducing the need for manual intervention.
# vim /etc/puppetlabs/puppet/autosign.conf
Add the hostnames or patterns of the agents you want to auto-sign in the
autosign.conffile. For example,*.example.comwill allow all agents from the domainexample.comto be automatically signed. - Troubleshooting Hostname and DNS Issues: Ensure that the agent’s hostname is correctly configured and resolvable by the Puppet master. Misconfigured DNS or hostname settings can prevent the agent from successfully communicating with the master.
$ hostname $ nslookup HOSTNAME
Verify that the agent and master can resolve each other’s hostnames correctly. Proper DNS configuration is crucial for successful SSL communication between the Puppet agent and master.
Conclusion
Encountering the “No Certificate Found and waitforcert is Disabled” error in Puppet can be challenging, but with the steps outlined in this tutorial, you can troubleshoot and resolve the issue effectively. By understanding the certificate signing process and ensuring proper configurations on both the agent and master, you can maintain a smooth and secure Puppet infrastructure.
