Hi! As per this <http://docs.puppetlabs.com/puppet/4.3/reference/subsystem_agent_master_comm.html> documentation, for the agent, getting a certificate signed is completely optional if it has a valid and signed copy.
I've made 3 pairs -- one for both the agent and master, and a CA certificate/private key pair. Master's puppet.conf -- [main] log_level = debug ca = false autosign = false cacrl = /etc/puppetlabs/puppet/ssl/CA.crl keylength = 4096 localcacert = /etc/puppetlabs/puppet/ssl/CA.crt ca = false certificate_revocation = false hostcert = /etc/puppetlabs/puppet/ssl/master.crt hostprivkey = /etc/puppetlabs/puppet/ssl/master.key [master] ca = false autosign = false cacrl = /etc/puppetlabs/puppet/ssl/CA.crl keylength = 4096 localcacert = /etc/puppetlabs/puppet/ssl/CA.crt ca = false certificate_revocation = false hostcert = /etc/puppetlabs/puppet/ssl/master.crt hostprivkey = /etc/puppetlabs/puppet/ssl/master.key Agent's puppet.conf -- [main] logdir=/var/log/puppet vardir=/var/lib/puppet ssldir=/var/lib/puppet/ssl rundir=/var/run/puppet factpath=$vardir/lib/facter prerun_command=/etc/puppet/etckeeper-commit-pre postrun_command=/etc/puppet/etckeeper-commit-post log_level = debug server = master.puppet.net runinterval = 1 hostcert = /etc/puppet/agent.crt hostprivkey = /etc/puppet/agent.key keylength = 4096 localcacert = /etc/puppet/CA.crt certificate_revocation = false [agent] server = master.puppet.net runinterval = 1 hostcert = /etc/puppet/agent.crt hostprivkey = /etc/puppet/agent.key keylength = 4096 localcacert = /etc/puppet/CA.crt certificate_revocation = false The agent exists with Exiting; failed to retrieve certificate and waitforcert is disabled Detailed debug log -- http://pastebin.com/S8iER24X -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ed298467-d61f-4b12-9700-aea709a3c1be%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
