[PUP-3805] Puppet Windows service should not ignore waitforcert setting Created: 2015/01/02  Updated: 2018/10/02

Status: Accepted
Project: Puppet
Component/s: Windows
Affects Version/s: PUP 3.7.3
Fix Version/s: None

Type: Improvement Priority: Major
Reporter: Ethan Brown Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: Windows, daemon, packaging
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Any Windows guest

Issue Links:
Team: Platform OS
Story Points: 2


The Windows service architecture is a bit different from other platforms, where the same agent code may be daemonized.

On Windows, there is a separate supervisory service daemon implemented in daemon.rb that triggers the Puppet agent on the specified runinterval

Each Puppet run is a new process creation, that has the --onetime flag specified:

Because --onetime is specified, that means that agent code will ignore the waitforcert setting that's specified in puppet.conf and will also ignore the default setting of 2m from defaults.rb

As a result, a time value of 0 is passed to wait_for_cert, and should any error arise during, for instance, an auto-signing cert request, then the agent will die:

This presents a problem when there may be an auto-signing cert policy in place, and the default runinterval of 30 minutes is undesirably long.

There are a couple of workarounds that could be employed, such as:

  • Changing the default runinterval in puppet.conf post Puppet installation
  • Reconfiguring the Windows service to add a command line override of --waitforcert which will take effect, even when puppet.conf is ignored with something like:

    sc.exe config pe-puppet binPath= "\"C:\Program Files\Puppet Labs\Puppet Enterprise\service\daemon.bat\" --waitforcert=120"

Neither of these are a great solution.

The most appropriate solution is likely to perform a better heuristic when determining what the waitforcert value should be.

  • Perhaps the check only works on Windows
  • Perhaps the check validates whether or not the cert has already been signed by the desired server, and only ignores waitforcert then

Generated at Fri Dec 13 09:31:11 PST 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.