Puppet agent: Exiting; no certificate found and waitforcert is disabled – Solution

Any Puppet agent connecting to a Puppet master server for a first time will generate a certificate and give it to a Puppet master server to sign. Depending on your puppet configuration, a default behavior is that the certificate must by signed manually and thus puppet agent exits with an error:

Exiting; no certificate found and waitforcert is disabled

To resolve this issue login to the Puppet master server and list all certificates awaiting a signature eg.:

# puppet cert list
  "agent1" (SHA256) 73:D4:EF:1A:F6:B9:D8:2F:AB:6F:4F:95:CA:73:CE:3F:8C:8B:5C:23:BB:B2:17:47:98:08:C7:01:96:C1:17:E2

From the above we can see that certificate from a single host agent1 is waiting for its certificate to be signed. Your output may be different and contain multiple certificates awaiting for a signature. From here we have two options on how to sign the above certificate. First, we can sign each certificate individually:

# puppet cert sign agent1
Notice: Signed certificate request for agent1
Notice: Removing file Puppet::SSL::CertificateRequest agent1 
at '/etc/puppetlabs/puppet/ssl/ca/requests/agent1.pem'

or we can sign all awaiting certificates at once:

# puppet cert sign --all