After starting an new instance on labs project where puppetmaster is pointing to a role::puppetmaster::standalone instance, one has to delete /var/lib/puppet/ssl before puppet will function. Until you delete that directory, puppet agent -tv will give errors like this:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: deployment-puppetmaster.deployment-prep.eqiad.wmflabs]
100% reproducible on labs projects having a role::puppetmaster::standalone puppetmaster (eg: deployment-prep, integration, tools). There is no magic beside retrying (either delete/rebuild an instance or randomly delete bunch of files).
$ sudo -i puppet agent -tv $ sudo rm -fR /var/lib/puppet/ssl $ sudo rm /var/lib/puppet/server/ssl/ca/signed/$(hostname -f).pem $ sudo -i puppet agent -tv
$ sudo puppet cert clean <fqdn of instance>
$ sudo -i puppet agent -tv