When we're writing code, we often log in to a test machine to run our agent manually and get a sense of what's going on. We rarely log in directly as the root, and it's easy to forget to switch our user to root. This problem can be particularly frustrating, because it appears as a certificate error. Our individual user generates a new certificate, and cannot connect to the Master using the SSL error. The key difference that you'll notice in the error log is the recommendation to remove the local certificate.

This happens primarily when doing testing and running the agent as the wrong user on a Puppet agent. Take note of the generating new key, and the user context user in line 1, and in the certificate clean message:In the following example, notice a new SSL key being generated, and that I'm running this command as my own users instead of root:

[rary@wordpress ~]$ puppet agent -t
Info: Creating a new SSL key for wordpress
Info: Caching certificate for ca
Info: Caching certificate for wordpress
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root?
Certificate fingerprint: 0C:10:48:BB:F9:F4:12:4A:66:52:FD:BB:33:DF:54:67:98:B4:D1:01:96:DE:6B:A4:D1:29:19:3C:C8:83:15:8C
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate.
On the master:
  puppet cert clean wordpress
On the agent:
  1a. On most platforms: find /home/rary/.puppetlabs/etc/puppet/ssl -name wordpress.packt.com.pem -delete
  1b. On Windows: del "home
ary.puppetlabsetcpuppetsslcertswordpress.packt.com.pem" /f
  2. puppet agent -t

Exiting; failed to retrieve certificate and waitforcert is disabled