Ask Your Question

policy-based autosigning not working

asked 2016-08-30 09:44:23 -0600

Arioch gravatar image


I'm trying to get autosign to work on Puppet 4.

This is - among other things - what I've tried so far:

root@puppet:~# puppet config set --section master autosign /opt/puppetlabs/bin/autosign
root@puppet:~# puppet config set --section master autosign /bin/true
root@puppet:~# puppet config set --section master autosign true
root@puppet:~# puppet config set autosign true

The /opt/puppetlabs/bin/autosign script is executable and owned by puppet. As this didn't work as expected I've tried "/bin/true" - which is world executable - and even non-policy-based "true" instead.

Before each test I've run the usual stanza:

root@puppet:~# systemctl restart puppetserver
root@puppet:~# puppet node clean <agent>
root@agent:~# find /etc/puppetlabs/puppet/ssl -type f -delete
root@agent:~# puppet agent --test --noop --waitforcert 5

... all to no avail so far.

Am I editing the wrong config file?

My test environment:

  • distro: ubuntu 16.04
  • puppetserver: 2.4.0
  • puppet-agent: 1.5.3
edit retag flag offensive close merge delete


You might be running into Try putting a line in your script which consumes all stdin - like: `cert=$(cat)`. If that doesn't work, do you see any errors in the /var/log/puppetlabs/puppetserver/puppetserver.log file when signing should happen?

camlow325 gravatar imagecamlow325 ( 2016-09-25 09:50:36 -0600 )edit

It would also be good to check that the autosign setting is being set into the proper "puppet.conf" file. Puppet Server will try to read the puppet.conf file from whatever is set in the jruby-puppet.master-conf-dir setting in /etc/puppetlabs/puppetserver/conf.d/pe-puppet-server.conf. ...

camlow325 gravatar imagecamlow325 ( 2016-09-26 10:20:04 -0600 )edit

By default, this should be /etc/puppetlabs/puppet. If you run 'puppet config' as root, the setting should go into /etc/puppetlabs/puppet/puppet.conf. If you are running as a non-root user, though, it would go to $HOME/.puppetlabs/etc/puppet/puppet.conf, which is probably not what you would want.

camlow325 gravatar imagecamlow325 ( 2016-09-26 10:22:36 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2016-09-01 13:15:48 -0600

lupin gravatar image

Do a puppet config print autosign and create the config file if it didn't exist with permission set to your puppet user service account.

The format/content of the file is documented in here.

edit flag offensive delete link more


That's naive autosigning, tried that too. This way the script is still not executed and any certificated is signed.

Arioch gravatar imageArioch ( 2016-09-01 14:20:47 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2016-08-30 09:44:23 -0600

Seen: 214 times

Last updated: Sep 01 '16