Ask Your Question

getting error while signing certs

asked 2017-04-12 12:39:13 -0600

Frank_123_ih gravatar image

Hi there,

I am getting the below error while generating the certificate. Please have a check on the error below.

root@east [/var/lib/puppet]# puppetd --test warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for err: Could not request certificate: unknown message digest algorithm

Exiting; failed to retrieve certificate and waitforcert is disabled

I have updated the openssl on the server, but seems that the error being persistent. I am using centos 6 server. Any help would be greatly appreciated.

edit retag flag offensive close merge delete


Are the clocks the same between the agent and the master? I had that issue with a new server today, I approved the certificate but the agent wouldnt run because the clock on the new agent was way off. Adjusted the time and it worked fine.

UBPClaw gravatar imageUBPClaw ( 2017-04-13 18:46:36 -0600 )edit

6 Answers

Sort by » oldest newest most voted

answered 2017-09-21 10:48:06 -0600

Ivan Arjune gravatar image

updated 2017-09-21 10:50:28 -0600

Here is the update in openssl that breaks puppet

rpm -q --changelog openssl

* Wed Oct 05 2016 Tomáš Mráz <> 1.0.1e-52
- deprecate and disable verification of insecure hash algorithms
- disallow DH keys with less than 1024 bits in TLS client
- remove support for weak and export ciphersuites
- use correct digest when exporting keying material in TLS1.2 (#1376741)

I can confirm that downgrading to openssl-1.0.1e-48 resolved the error with puppet-2.7.26-1

err: Could not request certificate: unknown message digest algorithm
edit flag offensive delete link more

answered 2017-04-13 02:19:30 -0600

greynolds gravatar image

How are you deleting the certs?

Remove all reference from the puppetmaster puppet cert clean server name (your choice) puppet node clean server name (your choice) puppet node purge server name (your choice)

on client Delete the SSL directory

on client puppet agent -t

on master puppet cert sign server name

on client puppet agent -t -> (follow up)

edit flag offensive delete link more


Removed certs by the steps: On puppetmaster: puppetca --clean hostname.of.agent Remove all related files from /var/lib/puppet On puppet agent: Removed /var/lib/puppet/ssl Still getting the error while create a signing request: err: Could not request certificate: unknown message digest algorithm

Frank_123_ih gravatar imageFrank_123_ih ( 2017-04-19 03:32:46 -0600 )edit

Interesting! After removing the certs and restarting the puppetmaster and you are getting certificate errors from a newer version of OpenSSL versus an older version? I would compare the configuration to see how they are configured. Either the older or newer version does not like the digest

greynolds gravatar imagegreynolds ( 2017-04-21 04:08:39 -0600 )edit

answered 2017-04-19 05:19:34 -0600

updated 2017-04-20 05:04:06 -0600

It is not the time, it is the algorithm. After updating to CentOS 6.9 I'm unable to generate a puppet cert for the master to sign. I suspect it has something to do with the OpenSSL update and supported hashes. Have not found a solution or an answer.


Downgrading openssl is the only solution I have found so far.

  • wget a previous version from a CentOS mirror (openssl-1.0.1e-48 tested and worked)
  • yum downgrade openssl-1.0.1e-48.el6.x86_64.rpm
  • puppet agent -t (create the CSR)
  • sign on master
  • update openssl to latest version (naturally, for security)
edit flag offensive delete link more

answered 2017-04-20 03:08:40 -0600

fvoges gravatar image

It's a problem with openssl. Have you upgraded the openssl libraries on the agent too?

What OS and Puppet and openssl version do you have installed on the master? and on the agent?

edit flag offensive delete link more


Yes, openssl has been updated to openssl-1.0.1e-57 on CenOS 6.9 on the client

CmdKeen gravatar imageCmdKeen ( 2017-04-20 04:30:28 -0600 )edit

answered 2017-04-19 00:24:30 -0600

Frank_123_ih gravatar image

updated 2018-01-19 08:16:25 -0600

DarylW gravatar image

Hi ,

I have tried checking the server clock time with reference to the master server clock. Both are same. All the ssl certs were removed from the client server ( note server certs are not reaching at the master server, this is the main issue by the way :-) ... ) , and tried readding it to the master server, but still the same. Could you confirm if there is any other fix. I will wait for your reply.

Just a follow up as the forum wont allow posting multiple answers

Hi fvoges,

We have Centos 6 as our prime architechure. The server agent and the master are configured with centos 6. Since the server is using puppet version 2.6.18 the client server is also configured to use the same . Pasting below are the master and client server configurations.

[root@puppet ~]# openssl 
OpenSSL> version
OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL> quit
[root@puppet ~]# puppet -V
[root@puppet ~]# cat /etc/redhat-release 
CentOS release 6.8 (Final)


root@east [~]# openssl
OpenSSL> version
OpenSSL 1.0.1e 11 Feb 2013
OpenSSL> quit
root@east [~]# puppet -V
root@east [~]# cat /etc/redhat-release 
CentOS release 6.9 (Final)


Please have a check and let us know if there is any fix that you propose.

edit flag offensive delete link more


plz check my answer for a workaround

CmdKeen gravatar imageCmdKeen ( 2017-04-20 05:05:07 -0600 )edit

answered 2018-01-18 11:40:14 -0600

csharpsteen gravatar image

As an alternative to downgrading OpenSSL, there are a couple mechanisms provided to re-enable MD5 as a digest algorithm for Puppet 2.7 certificates. Either of the following should work:

  • Set OPENSSL_ENABLE_MD5_VERIFY=1 in the Puppet master's environment or before running puppet cert.

  • Or, re-enable MD5 system-wide: echo 'LegacySigningMDs md5' >> /etc/pki/tls/legacy-settings

More info can be found in the RedHat bugtracker entry for the OpenSSL change:

Puppet 3.0 switched to using SHA256 as the certificate digest.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2017-04-12 12:39:13 -0600

Seen: 2,689 times

Last updated: Jan 19