Ask Your Question

puppet cert clean is throws Error: Could not find a serial number

asked 2015-09-19 00:58:00 -0600

jpmolekunnel gravatar image


while run puppet agent --no-daemonize --onetime --verbose on agent server, amd getting the following error

Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: 72:D3:33:8E:77:B6:99:89:1F:04:A4:A5:22:C5:30:C0:04:AC:9F:64:A0:20:56:11:64:C3:3A:4A:DA:03:1A:DB To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean ubuntu.localdomain On the agent: rm -f /var/lib/puppet/ssl/certs/ubuntu.localdomain.pem puppet agent -t

so I run puppet cert clean on master but got, Error: Could not find a serial number for

Please help me on this to complete my installation.

Regards, Jojan Paul

edit retag flag offensive close merge delete

4 Answers

Sort by ยป oldest newest most voted

answered 2015-09-23 13:41:40 -0600

syphrix gravatar image

I know I ran into this a while back. Turns out the Puppet Master couldn't find the serial of a cert if it wasn't signed. Try signing the cert first with puppet cert sign ubuntu.localdomain then follow up with the clean command.

edit flag offensive delete link more


Did the job

hier gravatar imagehier ( 2017-03-11 03:57:20 -0600 )edit

answered 2015-09-19 03:57:35 -0600

are you mixing names here? I'd do literally what your error message is saying:

on master:
    puppet cert clean ubuntu.localdomain
on client:
    rm -f /var/lib/puppet/ssl/certs/ubuntu.localdomain.pem
    puppet agent -t --waitforcert 60

have you tried this? cheers Stuart

edit flag offensive delete link more


Just noticed the name mismatch. Yes, do what @sahumphries is saying.

syphrix gravatar imagesyphrix ( 2015-09-23 13:44:39 -0600 )edit

answered 2015-09-23 05:14:23 -0600

DevOPs_Paul.Tung gravatar image

Hi Jojan Paul,

Could you help to list the certificates by below command on master?

puppet cert list --all

I am curious your agent certificate not signed by master yet.

edit flag offensive delete link more

answered 2015-09-21 03:15:52 -0600

FranzCC gravatar image

Did you want to remove the node and add it again ?
Cert clean ist not the way.
To completely remove the node, you should use puppet node purge <nodename>
If you did revoke the client cert, then you should use puppet cert generate command
Otherwise the CA will have dead but not revoked certs which pollute the CA.
There are good wikis howto manage a CA though.

Rgds. Franz

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2015-09-19 00:58:00 -0600

Seen: 10,369 times

Last updated: Sep 23 '15