Any Puppet agent connecting to a Puppet master server for a first time will generate a certificate and give it to a Puppet master server to sign. Depending on your puppet configuration, a default behavior is that the certificate must by signed manually and thus puppet agent exits with an error:
Exiting; no certificate found and waitforcert is disabled
To resolve this issue login to the Puppet master server and list all certificates awaiting a signature eg.:
# puppet cert list "agent1" (SHA256) 73:D4:EF:1A:F6:B9:D8:2F:AB:6F:4F:95:CA:73:CE:3F:8C:8B:5C:23:BB:B2:17:47:98:08:C7:01:96:C1:17:E2
From the above we can see that certificate from a single host agent1 is waiting for its certificate to be signed. Your output may be different and contain multiple certificates awaiting for a signature. From here we have two options on how to sign the above certificate. First, we can sign each certificate individually:
# puppet cert sign agent1 Notice: Signed certificate request for agent1 Notice: Removing file Puppet::SSL::CertificateRequest agent1 at '/etc/puppetlabs/puppet/ssl/ca/requests/agent1.pem'
or we can sign all awaiting certificates at once:
# puppet cert sign --all