Ask Your Question

Puppet agent setup cert loop?

asked 2014-04-02 16:47:49 -0500

JM gravatar image

My agent "jmproto" can't seem to talk to my master "puppetbot". I followed the fix instructions in the error below, but it made things worse (my master can't finish a puppet agent -t anymore). Here's my console output and my agent machine's puppet.conf

[root@jmproto ~]# puppet agent -t
err: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: 82:D9:28:3A:EE:8F:90:F4:7A:E8:9E:02:4A:B3:82:C8
To fix this, remove the certificate from both the master ...
edit retag flag offensive close merge delete

3 Answers

Sort by ยป oldest newest most voted

answered 2014-04-02 21:25:49 -0500

updated 2014-04-04 09:54:36 -0500

JM this question is the same that.

Here is how you fix it. execute on your puppet master.

puppet cert clean "yourhostnamehere"

execute on your puppet agent.

rm -f /etc/puppetlabs/puppet/ssl/certs/`facter fqdn`.pem
find $(puppet master --configprint ssldir) -name `facter fqdn`.pem -delete
puppet agent -t

back for your puppet master

puppet cert --list

check your name certificate and sign.

puppet cert --sign "yourhostnamehere"

come back to your puppet agent and be happy :D

puppet agent -t
edit flag offensive delete link more


`rm -f /etc/puppetlabs/puppet/ssl/certs/yourhostnamehere` That folder does not exist on my agent.

JM gravatar imageJM ( 2014-04-03 11:11:37 -0500 )edit

JM you need to change yourhostnamehere for . In this case 'rm -f /etc/puppetlabs/puppet/ssl/certs/rm -f /var/lib/puppet/ssl/certs/ ...(more)

Renan Vicente gravatar imageRenan Vicente ( 2014-04-03 12:26:55 -0500 )edit

Replace /etc/puppetlabs/puppet/ssl with your $ssldir. For open source puppet that is usually /var/lib/puppet/ssl. The find is a little too agressive too, i suggest "rm ...(more)

ffrank gravatar imageffrank ( 2014-04-04 03:31:52 -0500 )edit

I edited my answer for find $(puppet master --configprint ssldir) -name *yourhostnamehere* -delete , that way you won't have problem if you are using puppetlabs or puppet open source. it ...(more)

Renan Vicente gravatar imageRenan Vicente ( 2014-04-04 05:53:25 -0500 )edit

Nice :-) Still pretty agressive though, why not `facter fqdn`.pem? Also, using `puppet master --configprint` on the agent machine seems counter-intuitive if not outright wrong(?)

ffrank gravatar imageffrank ( 2014-04-04 09:48:54 -0500 )edit

answered 2014-05-11 20:39:16 -0500

fnaard gravatar image

The docs site has an answer that I've modified slightly.

You want to get the master to revoke and forget the certificate it already has for the node's agent.

puppet cert clean {node certname}

Then on the agent, remove its ssl directory entirely, which can be found by asking the agent.

rm -rf $(puppet agent --configprint ssldir)

The next time you run the agent, it will completely regenerate its keypair and send a new CSR to the master.

puppet agent --test

Sign it on the master

puppet cert sign {node certname}

Run the agent again, it should receive the signed certificate, drop it in place, and be able to fetch a catalog.

puppet agent --test
edit flag offensive delete link more

answered 2014-05-13 15:26:52 -0500

Stefan gravatar image

On your agent jmproto you have to following in /etc/puppet/puppet.conf

server =
certname =

This means that the agent will connect to puppetbot (that is correct) and the certificate of your agent will be called That's simply wrong because your agent will now have the same name as your puppet server. That's why you got the certificate problem in the first place, because there already was a certficate called (namely the certificate of your puppet master). You made things worse when you tried to remove the agent's certificate on your master, because in reality you have removed the master's certficate.

Either set certname to something else, or leave it out enterely (preferred). If you don't set certname explicitly it will be the same as the fqdn of you puppet agent.

Then I'd remove the ssl directory on both your master and your agent. Restart the master (the master will now create a CA certficate and a certficiate called, then start the agent (the agent will then create a certificate Go back to your master and sign the request Now everything should work!

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-04-02 16:47:49 -0500

Seen: 293 times

Last updated: May 13 '14