Puppet cert clean not working

by Glenn Lasher   Last Updated September 11, 2019 18:00 PM

So, I am standing up a new server to replace an existing one. Should be easy, right? Revoke the old cert, create a new one and off you go. Here's the loop I am stuck in:

I've redacted the server names, cert fingerprint and domain. The servers shown below are:

  • Slave1 -- The machine that will be the partner of the one that is having issues. It is only mentioned below to prove one of the details.
  • Slave2 -- The machine that is giving me issues.
  • Master1 -- The puppet master (obviously)

On new build

[[email protected] ~]# puppet agent -t
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:2F:F1
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean slave2.example.com
On the agent:
  rm -f /var/lib/puppet/ssl/certs/slave2.example.com.pem
  puppet agent -t

Exiting; failed to retrieve certificate and waitforcert is disabled

Okay, that's predictable and fully expected because this is a new server using an old name. Now on the master:

[[email protected] ~]# puppet cert clean slave2.example.com
Notice: Revoked certificate with serial 154

Note that there's nothing about the key files getting removed. This is because they are not there. Proof:

[[email protected] ~]# ls /var/lib/puppet/ssl/ca/signed/slave1.example.com.pem
/var/lib/puppet/ssl/ca/signed/slave1.example.com.pem
[[email protected] ~]# ls /var/lib/puppet/ssl/ca/signed/slave2.example.com.pem
ls: cannot access /var/lib/puppet/ssl/ca/signed/slave2.example.com.pem: No such file or directory

Okay, good. Now go back to the slave to complete the procedure by removing the .pem file and running puppet agent again:

[[email protected] ~]# rm -f /var/lib/puppet/ssl/certs/slave2.example.com.pem
[[email protected] ~]# puppet agent -t
Info: Caching certificate for slave2.example.com
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:2F:F1
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
  puppet cert clean slave2.example.com
On the agent:
  rm -f /var/lib/puppet/ssl/certs/slave2.example.com.pem
  puppet agent -t

Exiting; failed to retrieve certificate and waitforcert is disabled

...and we are right back where we started with no change in outcome.

One last sanity check:

[[email protected] ~]# puppet cert list -a | grep -i save2

...and there are no matches.

What am I doing wrong?



Related Questions


Updated October 08, 2015 18:00 PM

Updated September 27, 2015 11:00 AM

Updated January 22, 2017 14:00 PM

Updated October 26, 2016 09:00 AM

Updated February 07, 2019 16:00 PM