Auto Sign Puppet Agent Certificates Without Manual Approval

-

How to Enable Autosign for Puppet Agents

If you're looking to automate the certificate signing process for Puppet agents, follow these tested and verified steps based on a real support case.

Step 1: Enable Autosign on the Primary Server

Edit the Puppet configuration file on your Primary Server:

sudo nano /etc/puppetlabs/puppet/puppet.conf

Add line "autosign = true" under the [main] section:

[main]
certname = puppet-master.example.com
server = puppet-master.example.com
user = pe-puppet
group = pe-puppet
environment_timeout = 0
module_groups = base+pe_only
autosign = true

Save and exit the file.

Step 2: Clean the Agent Certificate on Primary

To remove any conflicting certificate on the primary server, run:

puppetserver ca clean --certname agent-node.example.com

Replace agent-node.example.com with your actual agent's FQDN.

Step 3: Clean SSL Certs on the Agent Node

Now go to the agent node and clean its certificates:

puppet ssl clean

Do not run this command on the Primary server.

Step 4: Trigger Puppet Agent Run

On the same agent node, trigger a manual run:

puppet agent -t

If everything is set correctly, the agent will auto-sign and connect to the master.

Note

Cleaning certificates is only required for previously registered agents. For new nodes (especially from domains like *.example.com), this step won't be needed again.

Comments

Post a Comment

Popular Posts

Why SELinux Is Blocking Your Service (and How to Fix It)

-
Troubleshooting SELinux-Related Issues in Linux Running services with SELinux enabled can sometimes lead to unexpected denials or blocked actions—especially if SELinux was previously disabled or the service is configured in a non-standard way. In most cases, SELinux issues are the result of misconfigured contexts, policies, or port bindings. Here's a step-by-step approach to diagnose and fix SELinux-related problems while keeping your system secure. Check SELinux Status and Mode Start by verifying that SELinux is active on your system: # sestatus Look for: SELinux status: enabled Current mode: enforcing or permissive To test if SELinux is causing a problem, temporarily switch to permissive mode: # setenforce 0 # Logs denials but doesn’t block actions # setenforce 1 # Reverts to enforcing mode If the issue disappears in permissive mode, SELinux is likely the root cause. Look for SELinux Denials i...
Read more

Puppet Code Deploy Troubleshooting & Resolution Guide

-
Initial Problem I was setting up Puppet Enterprise and trying to push code using the trusted puppet code deploy command. But instead of a clean deployment, I got this surprise: puppet code deploy --dry-run And boom — this lovely error shows up: [POST /deploys][500] Errors while collecting a list of environments to deploy (exit code: 1). ERROR -> failed to stat '/var/opt/lib/pe-puppet/.gitconfig' So... what gives? Turns out this issue is part permissions, part SSH trust, and part “who ran this command and as which user.” But don’t worry — I’ll walk through all root causes and their real-world fixes step by step. Root Cause #1: Directory Permission What Happened: The directory /var/opt/lib was locked down with drwx------ (700) and owned by root . User pe-puppet couldn’t even step inside it. Since r10k runs as pe-puppet , it failed trying to read .gitconfig . The Fix: chmod 711 /var/opt/lib Why: This lets pe-puppet enter the folder ...
Read more

Fix: SSH Permission Denied Issue | Real Solution

-
1. Verify SSH Command and Key Usage Use the correct private key with -i : ssh -i ~/.ssh/your_private_key user@host Ensure the key is not passphrase-protected (or enter the passphrase correctly). 2. Check Key Generation and Deployment Regenerate Keys (if unsure): ssh-keygen -t ed25519 -C "your_email@example.com" # Prefer ed25519 Ed25519 uses elliptic curve cryptography (Edwards-curve Digital Signature Algorithm) and provides 128-bit security (equivalent to RSA-3072 or RSA-4096) with a 256-bit key. Copy the Public Key to the Server: ssh-copy-id -i ~/.ssh/your_public_key user@host If ssh-copy-id isn’t available, manually append the public key to ~/.ssh/authorized_keys on the server. 3. Fix File/Directory Permissions On the Server: chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys chmod go-w ~ # Home directory should not be world-writable On the Client (Local Machine): chmod 600 ~/.ssh/your_private_key 4. Check SSH Server Configuration Edit /etc/ssh/s...
Read more