Puppet Master CA not accepting new Cert Requests

Let me preface this with a disclaimer: I dont know if this is related to foreman or not.

After setting up Foreman with a Standalone Puppet Master (as CA) everything is working fine for existing nodes, they are reporting and facts are both going to Foreman.

What is going on now is I cannot add any new hosts. They are failing to get a ssl cert from the puppet master and I cannot figure out why!

From agent, after cleaning all ssl certs in both sides (puppet master and node), I get this:

[root@myhost ssl]# puppet agent -t
Info: Creating a new SSL key for myhost.domain.com
Error: Could not request certificate: No content type in http response; cannot parse
Exiting; failed to retrieve certificate and waitforcert is disabled

Puppet Master access log:

10.64.80.235 - - [04/Nov/2019:15:39:54 +0800] "GET /puppet-ca/v1/certificate/ca?environment=production&fail_on_404=true HTTP/1.1" 404 0 "-" "Puppet/5.5.2 Ruby/2.4.4-p296 (x86_64-linux)" 0
10.64.80.235 - - [04/Nov/2019:15:41:54 +0800] "GET /puppet-ca/v1/certificate/ca?environment=production&fail_on_404=true HTTP/1.1" 404 0 "-" "Puppet/5.5.2 Ruby/2.4.4-p296 (x86_64-linux)" 1

Has anyone come across this before?

My puppet.conf looks like this:

[main]
    basemodulepath = /etc/puppetlabs/code/environments/common:/etc/puppetlabs/code/modules:/opt/puppetlabs/puppet/modules:/usr/share/puppet/modules
    certname = puppet.domain
    codedir = /etc/puppetlabs/code
    environmentpath = /etc/puppetlabs/code/environments
    hiera_config = $confdir/hiera.yaml
    hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
    logdir = /var/log/puppetlabs/puppet
    pluginfactsource = puppet:///pluginfacts
    pluginsource = puppet:///plugins
    privatekeydir = $ssldir/private_keys { group = service }
    reports = foreman
    rundir = /var/run/puppetlabs
    server = puppet.domain
    show_diff = false
    ssldir = /etc/puppetlabs/puppet/ssl
    vardir = /opt/puppetlabs/puppet/cache

[agent]
    classfile = $statedir/classes.txt
    default_schedules = false
    environment = production
    listen = false
    localconfig = $vardir/localconfig
    masterport = 8140
    noop = false
    report = true
    runinterval = 1800
    splay = false
    splaylimit = 1800
    usecacheonfailure = true

[master]
    autosign = /etc/puppetlabs/puppet/autosign.conf { mode = 0664 }
    ca = true
    certname = puppet.domain
    external_nodes = /etc/puppetlabs/puppet/node.rb
    logdir = /var/log/puppetlabs/puppetserver
    node_terminus = exec
    parser = current
    rundir = /var/run/puppetlabs/puppetserver
    ssldir = /etc/puppetlabs/puppet/ssl
    strict_variables = false
    vardir = /opt/puppetlabs/server/data/puppetserver

One thing I did notice was this:
autosign = /etc/puppetlabs/puppet/autosign.conf { mode = 0664 }
That file does not exist, I am not sure where that value came from, I changed it to ‘false’ but that didnt make any difference.

Thanks in advance if there is someone that knows what is going on here, I’ve been at it for a day now it has me boggled!

This was the foreman-proxy install I ran on the “Stand Alone Puppet Master” is there anything wrong here that would stop the master receiving new cert requests?

foreman-installer
--no-enable-foreman
--no-enable-foreman-cli
--enable-puppet
--puppet-server-ca=false
--puppet-server-foreman-url=https://fman01v.domain.com
--enable-foreman-proxy
--foreman-proxy-puppetca=false
--foreman-proxy-tftp=false
--foreman-proxy-foreman-base-url=https://fman01v.domain.com
--foreman-proxy-trusted-hosts=fman01v.domain.com
--foreman-proxy-oauth-consumer-key=secret
--foreman-proxy-oauth-consumer-secret=secret

Im going to revert to a snapshot pre foreman-proxy install on the Puppet Master. I want the Puppet Master to also be the CA Server. Can someone confirm this is the right set of options:

foreman-installer
--no-enable-foreman
--no-enable-foreman-cli
--enable-puppet
--puppet-server-ca=false
--puppet-server-foreman-url=https://fman01v.domain.com
--enable-foreman-proxy
--foreman-proxy-puppetca=false
--foreman-proxy-tftp=false
--foreman-proxy-foreman-base-url=https://fman01v.domain.com
--foreman-proxy-trusted-hosts=fman01v.domain.com
--foreman-proxy-oauth-consumer-key=secret
--foreman-proxy-oauth-consumer-secret=secret

Thanks guys!

These are literally the opposite. The scenario you’re installing is where another server (like the Foreman server) is the Puppet CA.

Thanks yeah I was looking at those and thinking that cant be right.

Do I just make these two = true ?
Or is there more that needs adjusting? The manual install steps are really helpful, they just didnt specify which was going to be the CA… and I came unstuck.