Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3805

Puppet Windows service should not ignore waitforcert setting


    • Type: Improvement
    • Status: Accepted
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: PUP 3.7.3
    • Fix Version/s: None
    • Component/s: Windows
    • Environment:

      Any Windows guest

    • Template:
    • Team:
      Platform OS
    • Story Points:


      The Windows service architecture is a bit different from other platforms, where the same agent code may be daemonized.

      On Windows, there is a separate supervisory service daemon implemented in daemon.rb that triggers the Puppet agent on the specified runinterval

      Each Puppet run is a new process creation, that has the --onetime flag specified:

      Because --onetime is specified, that means that agent code will ignore the waitforcert setting that's specified in puppet.conf and will also ignore the default setting of 2m from defaults.rb

      As a result, a time value of 0 is passed to wait_for_cert, and should any error arise during, for instance, an auto-signing cert request, then the agent will die:

      This presents a problem when there may be an auto-signing cert policy in place, and the default runinterval of 30 minutes is undesirably long.

      There are a couple of workarounds that could be employed, such as:

      • Changing the default runinterval in puppet.conf post Puppet installation
      • Reconfiguring the Windows service to add a command line override of --waitforcert which will take effect, even when puppet.conf is ignored with something like:

        sc.exe config pe-puppet binPath= "\"C:\Program Files\Puppet Labs\Puppet Enterprise\service\daemon.bat\" --waitforcert=120"

      Neither of these are a great solution.

      The most appropriate solution is likely to perform a better heuristic when determining what the waitforcert value should be.

      • Perhaps the check only works on Windows
      • Perhaps the check validates whether or not the cert has already been signed by the desired server, and only ignores waitforcert then


          Issue Links



              • Assignee:
                ethan Ethan Brown
              • Votes:
                0 Vote for this issue
                4 Start watching this issue


                • Created:

                  Zendesk Support