Hi,
in my current orkplace, I am currently hunting a weird heisenbug. In
about two out of ten machine builds, the puppet certificate doesn't
get signed.
We create the host via the foreman API, the host goes into build mode
in foreman. Foreman writes the FQDN to /etc/puppet/autosign.conf, the
host installation begins. After the installation, the first puppet run
starts.
If things go fine, the host creates its certificate request, submits
it to the puppet server (running on the same host as our foreman), the
puppet CA signs ther request, the FQDN is deleted from autosign.conf
and we're happy.
In the other case, the host creates its certificate request, submits
it to the puppet server, and the puppet CA fails to autosign the cert.
The host stays put, waiting for the signed certificate, the build in
foreman eventually times out. One can manually issue puppet cert sign
FQDN, and the build continues automatically if the manual signing
happened before the build has timed out in foreman.
This behavior is not tied to the host or the host definition, exactly
the same build submitted via the foreman API can succeed once and fail
the next time around and succeed in the third build again.
While my gut feeling says that this might be an issue with puppet
instead of foreman. Why am I asking this here? Frankly, I don't know.
Can anybody explain how puppet CA monitors the certificate signing
requests? Is that a cronjob or a daemon?
Any ideas what might be going wrong here, and where to touch?
Greetings
Marc