Ask Your Question

err: Could not request certificate: Error 400 on SERVER: unknown message digest algorithm

asked 2017-11-01 04:00:28 -0500

vinotv gravatar image

updated 2018-02-16 08:50:47 -0500

DarylW gravatar image

Recently i have wrongly removed the client(Amazon linux) certificate in puppet master, to recreate it i have deleted the /var/lib/puppet/ssl directory and then run command #puppet agent -t on the client and got the below error. The same method of regenerating the puppet certifiacte worked fine on Redhat linux servers.

Puppet Client:

[root@proxy-AZa ~]# cd /var/lib/puppet/ssl/
[root@proxy-AZa ssl]# ls -lrt
total 24
drwxr-x--- 2 puppet root   4096 Oct 30 17:32 private
drwxr-x--- 2 puppet root   4096 Oct 30 17:32 private_keys
drwxr-xr-x 2 puppet root   4096 Oct 30 17:32 public_keys
drwxr-xr-x 2 puppet root   4096 Oct 30 17:32 certs
drwxr-xr-x 2 puppet root   4096 Oct 31 06:52 certificate_requests
drwxrwx--- 5 puppet puppet 4096 Oct 31 09:30 ca
[root@proxy-AZa ssl]# rm -rf *
[root@proxy-AZa ssl]# puppet agent -t
info: Creating a new SSL key for proxy-aza.ad2015sit
info: Caching certificate for ca
info: Creating a new SSL certificate request for proxy-aza.ad2015sit
info: Certificate Request fingerprint (md5): F4:45:68:AA:A8:48:5D:6D:D6:B2:62:11:70:5C:D3:AD
err: Could not request certificate: Error 400 on SERVER: unknown message digest algorithm
Exiting; failed to retrieve certificate and waitforcert is disabled

Puppet Master

[root@puppet tmp]# puppet cert list
  "" (SHA256) 9E:5C:51:B9:65:F5:02:96:D0:B1:84:52:95:6B:49:80:C9:3A:17:20:80:1E:31:FA:D7:80:6B:41:D1:C2:7A:6D
  "proxy-aza.ad2015sit"       (MD5) 9E:90:70:C9:91:F8:80:2A:FE:C2:C5:71:FD:A7:F2:73
  "proxy-aza"            (MD5) 6C:9D:77:3C:C0:5D:08:26:A8:3F:3E:3D:C6:DA:CF:49
  "win-0ev7r2vfdqc"                           (SHA256) 78:FA:FB:8F:07:1D:01:FA:CF:F0:29:EB:9F:94:B9:2A:23:31:F9:91:E4:29:6F:58:07:82:94:42:36:73:C6:B3
  "win-4fucdt6gaiv"                           (SHA256) B2:92:F8:81:5D:78:AB:1A:77:6A:46:AD:9A:AE:7E:3A:0B:2C:8E:9A:4F:9D:18:1D:99:10:2D:D5:18:2B:F6:10
  "win-nr2kko32ipn"                           (SHA256) F8:4B:48:31:03:D7:B9:F4:20:4C:DC:A6:25:E5:67:17:B0:6E:13:53:32:FA:94:A4:8C:E6:57:6B:D5:BA:55:FB
  "win-qv88oi3kji6"                           (SHA256) CF:45:DB:A2:E4:F8:57:85:B7:E6:25:CD:82:E0:32:8D:EE:83:12:FC:CA:E6:00:8D:83:63:54:F1:74:72:85:CA
  "win-sct3th2f3s7"                           (SHA256) 01:2F:4A:05:F2:06:8E:80:47:D5:8F:6E:A9:4E:9C:42:90:58:8D:8D:AE:75:B5:45:E9:78:FA:B5:B6:9E:BE:D1
You have new mail in /var/spool/mail/root
[root@puppet tmp]# puppet cert sign "proxy-aza.ad2015sit"
Error: unknown message digest algorithm

The certificates are generated with MD5 and not in SHA256 format. The problem exists only on amazon linux ... (more)

edit retag flag offensive close merge delete


Also we have few other amazon linux servers running and already signed SHA256 format. When i regenerating this we are getting into this issue.

vinotv gravatar imagevinotv ( 2017-11-01 04:02:02 -0500 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2018-02-16 07:51:16 -0500

vinotv gravatar image

I haven't get any response from here. But I got the fix. I have upgraded the puppet to puppet3 and facter2 and then puppet agent -t from client able to communicate with the server and generating the SHA256 finger print. All looks good now.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2017-11-01 03:53:58 -0500

Seen: 247 times

Last updated: Feb 16