Puppetca autosign token is deleted before being used

Problem:

My problem seems to be that the puppet_setup snippet isn’t correctly sending a CSR to my puppetmaster during the preseed_default_finish provisioning template.

The result is that during the build process, my foreman smart proxy creates an autosign entry for the host, but then this autosign entry is deleted before the puppet agent sends its certificate to the puppetmaster for signing. I therefore have to sign all puppet certs manually, after the newly deployed host has rebooted, before it does its first full puppet run.

I have discovered the run-puppet-in-installer parameter, along with the note:

IMPORTANT NOTE: Setting “run-puppet-in-installer” is UNSUPPORTED!
The default mode of operation in Foreman is only to set up Puppet, but to not run it inside the installer environment.

What does to set up puppet mean in this case? Isn’t it supposed to generate a CSR and send it to the server for autosigning?

I’ve never used the run-puppet-in-installer parameter before, but this always used to work for me throughout multiple foreman versions, so I’m intrigued as to why it has suddenly stopped working.

Because I don’t have that parameter set, the puppet_setup snippet is running these commands during the finish script.

# passing a non-existent tag like "no_such_tag" to the puppet agent only initializes the node
/opt/puppetlabs/bin/puppet agent --config /etc/puppetlabs/puppet/puppet.conf --onetime --tags no_such_tag --server my.puppetmaster.server --no-daemonize
/opt/puppetlabs/bin/puppet resource service puppet enable=true

…but no CSR arrives at the puppetmaster until the host is rebooted and the service is started for the first time. I hope someone can tell me how this is supposed to work and what might have changed to make it stop working.

For the record, I have tried using both the hostname and token based whitelist methods of autosigning. I think they’re both working. It’s just that the CSR doesn’t get sent by the agent before the autosign entry is deleted by the smart proxy.

Expected outcome:

Initialization of the puppet agent on the newly deployed hosts sends a CSR to the puppetmaster, which is automatically signed. First puppet run to apply the manifests happens after the reboot.

Foreman and Proxy versions:

  • foreman: 1.24.2
  • foreman-proxy: 1.24.2
  • puppet agent: 5.5.18 AIO
  • foreman server O/S: Debian stretch

I worked out the answer to this in the end. So just in case anybody stumbles across this, I’ll share it.
The reason for it was the http-proxy variable that I was passing in for use in the debian-installer.

It seems to have been set to the HTTP_PROXY environment variable, which the puppet agent was using. On my first puppet run it was trying to use this proxy, then getting a 403 error.

It proceeded to call the built URL, at which point the autosign entry was deleted. Mystery solved.

2 Likes

Thank you for sharing this! This was indeed our issue as well.