[PUP-3805] Puppet Windows service should not ignore waitforcert setting Created: 2015/01/02  Updated: 2020/03/04

Status: Accepted
Project: Puppet
Component/s: Windows
Affects Version/s: PUP 3.7.3
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Ethan Brown Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: Windows, daemon, packaging, platform-os
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Any Windows guest

Issue Links:
Team: Night's Watch
Story Points: 2


The Windows service architecture is a bit different from other platforms, where the same agent code may be daemonized.

On Windows, there is a separate supervisory service daemon implemented in daemon.rb that triggers the Puppet agent on the specified runinterval

Each Puppet run is a new process creation, that has the --onetime flag specified:

Because --onetime is specified, that means that agent code will ignore the waitforcert setting that's specified in puppet.conf and will also ignore the default setting of 2m from defaults.rb

As a result, a time value of 0 is passed to wait_for_cert, and should any error arise during, for instance, an auto-signing cert request, then the agent will die:

This presents a problem when there may be an auto-signing cert policy in place, and the default runinterval of 30 minutes is undesirably long.

There are a couple of workarounds that could be employed, such as:

  • Changing the default runinterval in puppet.conf post Puppet installation
  • Reconfiguring the Windows service to add a command line override of --waitforcert which will take effect, even when puppet.conf is ignored with something like:

    sc.exe config pe-puppet binPath= "\"C:\Program Files\Puppet Labs\Puppet Enterprise\service\daemon.bat\" --waitforcert=120"

Neither of these are a great solution.

The most appropriate solution is likely to perform a better heuristic when determining what the waitforcert value should be.

  • Perhaps the check only works on Windows
  • Perhaps the check validates whether or not the cert has already been signed by the desired server, and only ignores waitforcert then

Generated at Mon Jul 13 22:06:25 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.