One of the simplest errors that you will see when running the agent for the first time is a message stating, failed to retrieve certificate and waitforcert is disabled:

Exiting; failed to retrieve certificate and waitforcert is disabled

This particular message is easy to fix. Our agent is informing us that it has not received a signed certificate back from the master. We can solve this problem by simply logging in to the Puppet Master as the root user and signing our certificate. We can view any pending certificates on our Puppet Master with the command puppet cert list, as follows:

[root@wordpress puppetlabs]# puppet agent -t
Exiting; no certificate found and waitforcert is disabled

In the preceding code, we can see that our wordpress node hasn't been signed, and we can simply approve this node for use with puppet cert sign:

[root@pe-puppet-master ~]# puppet cert list
  "wordpress" (SHA256) F4:9E:56:9E:07:3F:66:B3:B4:CE:81:9E:1E:ED:FC:43:B9:A2:CC:88:78:8D:C5:30:CA:B0:B7:6D:0F:77:86:20

[root@pe-puppet-master ~]# puppet cert sign wordpress
Signing Certificate Request for:
  "wordpress" (SHA256) F4:9E:56:9E:07:3F:66:B3:B4:CE:81:9E:1E:ED:FC:43:B9:A2:CC:88:78:8D:C5:30:CA:B0:B7:6D:0F:77:86:20
Notice: Signed certificate request for wordpress
Notice: Removing file Puppet::SSL::CertificateRequest wordpress at '/etc/puppetlabs/puppet/ssl/ca/requests/wordpress.pem'

If we're not auto-signing our certificates through our autosign.conf or using an ENC that provides automatic signing for us, we'll always need to remember to sign certificates for new nodes.