The Windows service architecture is a bit different from other platforms, where the same agent code may be daemonized.
On Windows, there is a separate supervisory service daemon implemented in daemon.rb that triggers the Puppet agent on the specified runinterval
Each Puppet run is a new process creation, that has the --onetime flag specified:
Because --onetime is specified, that means that agent code will ignore the waitforcert setting that's specified in puppet.conf and will also ignore the default setting of 2m from defaults.rb
As a result, a time value of 0 is passed to wait_for_cert, and should any error arise during, for instance, an auto-signing cert request, then the agent will die:
This presents a problem when there may be an auto-signing cert policy in place, and the default runinterval of 30 minutes is undesirably long.
There are a couple of workarounds that could be employed, such as:
- Changing the default runinterval in puppet.conf post Puppet installation
- Reconfiguring the Windows service to add a command line override of --waitforcert which will take effect, even when puppet.conf is ignored with something like:
Neither of these are a great solution.
The most appropriate solution is likely to perform a better heuristic when determining what the waitforcert value should be.
- Perhaps the check only works on Windows
- Perhaps the check validates whether or not the cert has already been signed by the desired server, and only ignores waitforcert then