Puppetca autosign token is deleted before being used

Problem:

My problem seems to be that the puppet_setup snippet isn’t correctly sending a CSR to my puppetmaster during the preseed_default_finish provisioning template.

The result is that during the build process, my foreman smart proxy creates an autosign entry for the host, but then this autosign entry is deleted before the puppet agent sends its certificate to the puppetmaster for signing. I therefore have to sign all puppet certs manually, after the newly deployed host has rebooted, before it does its first full puppet run.

I have discovered the run-puppet-in-installer parameter, along with the note:

IMPORTANT NOTE: Setting “run-puppet-in-installer” is UNSUPPORTED!
The default mode of operation in Foreman is only to set up Puppet, but to not run it inside the installer environment.

What does to set up puppet mean in this case? Isn’t it supposed to generate a CSR and send it to the server for autosigning?

I’ve never used the run-puppet-in-installer parameter before, but this always used to work for me throughout multiple foreman versions, so I’m intrigued as to why it has suddenly stopped working.

Because I don’t have that parameter set, the puppet_setup snippet is running these commands during the finish script.

# passing a non-existent tag like "no_such_tag" to the puppet agent only initializes the node
/opt/puppetlabs/bin/puppet agent --config /etc/puppetlabs/puppet/puppet.conf --onetime --tags no_such_tag --server my.puppetmaster.server --no-daemonize
/opt/puppetlabs/bin/puppet resource service puppet enable=true

…but no CSR arrives at the puppetmaster until the host is rebooted and the service is started for the first time. I hope someone can tell me how this is supposed to work and what might have changed to make it stop working.

For the record, I have tried using both the hostname and token based whitelist methods of autosigning. I think they’re both working. It’s just that the CSR doesn’t get sent by the agent before the autosign entry is deleted by the smart proxy.

Expected outcome:

Initialization of the puppet agent on the newly deployed hosts sends a CSR to the puppetmaster, which is automatically signed. First puppet run to apply the manifests happens after the reboot.

Foreman and Proxy versions:

  • foreman: 1.24.2
  • foreman-proxy: 1.24.2
  • puppet agent: 5.5.18 AIO
  • foreman server O/S: Debian stretch