You want to autosign any new client certificates that are sent to the puppet master. Be sure to understand the lack of security this presents.
# find the config directory (as root)
$ puppet config print --section master confdir
/etc/puppet/
# add a wildcard autosign
$ cat /etc/puppet/autosign.conf
*
By adding a single * to the autosign.conf
file you tell the puppet
master to accept the first certificate it sees for each client host.
This allows machines to come up on build and immediately connect to
puppet and begin their configuration. If you rebuild a machine, or do
anything that triggers a change in the clients certificate, the puppet
master will not allow the new certificate to connect until the old one
has been removed.
The location of the autosign.conf
file can vary slightly between
puppet packages / deployments so it's often worth confirming its location
on disk using the config print functionality:
puppet config print --section master confdir
This must be run as the same user puppet runs under to show the correct location.
To reiterate - having this option enabled may seem like a time saver but the risk is that any machine can connect without authorisation and request your manifests and templates, which may contain privileged information such as passwords, certificates, shared keys etc.