Certificate reuse

Sometimes, we spin up a new node by using a cert name previously known to the Puppet Master, especially in immutable infrastructures. Our Puppet infrastructure is designed with certificate security in mind, so having a new node with a name already known by the Puppet Master will present a message like the following:

[root@wordpress puppet]# puppet agent -t
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root?
Certificate fingerprint: 88:7F:B2:88:15:20:0A:55:3F:DE:2A:36:2C:B1:52:50:F1:77:96:EA:79:75:A1:00:B9:D6:3E:0B:93:45:D8:1C
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate.
On the master:
  puppet cert clean wordpress
On the agent:
  1a. On most platforms: find /etc/puppetlabs/puppet/ssl -name wordpress.pem -delete
  1b. On Windows: del "etcpuppetlabspuppetsslcertswordpress.pem" /f
  2. puppet agent -t

Exiting; failed to retrieve certificate and waitforcert is disabled

The simple fix for this error is to simply clean the certificate on our Puppet Master before running the agent again, and also signing the certificate again, as follows:

[root@pe-puppet-master manifests]# puppet cert clean wordpress
Notice: Revoked certificate with serial 18
Notice: Removing file Puppet::SSL::Certificate wordpress at '/etc/puppetlabs/puppet/ssl/ca/signed/wordpress.pem'
Notice: Removing file Puppet::SSL::Certificate wordpress at '/etc/puppetlabs/puppet/ssl/certs/wordpress.pem'

Additionally, Puppet will not let us rerun the agent until we delete the certificate that was recently generated. The message provided by the error provides the best command to remove the certificate, so it can be regenerated on our agents: find /etc/puppetlabs/puppet/ssl -name <fqdn>.pem -delete. On most agents, it is actually safer to delete the entire SSL directory, with rm -rf /etc/puppetlabs/puppet/ssl.

Deleting the SSL directory on the Puppet Master will delete the entire certificate chain, causing a need for a whole new set of certificates. This problem was more difficult to resolve in older versions of Puppet; we can now resolve it by following the directions at https://puppet.com/docs/puppet/latest/ssl_regenerate_certificates.html. Ensure that you don't accidentally delete the SSL certificates on the master, rather than the agent.

Preventing this error is as simple as running puppet cert clean <nodename> on the Puppet Master, after decommissioning any node attached to the Puppet Master.

Table of Contents for Certificate reuse

Create new playlist

Sign In

Sign Up

Table of Contents for
Certificate reuse