Sometimes, we spin up a new node by using a cert name previously known to the Puppet Master, especially in immutable infrastructures. Our Puppet infrastructure is designed with certificate security in mind, so having a new node with a name already known by the Puppet Master will present a message like the following:
[root@wordpress puppet]# puppet agent -t
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root?
Certificate fingerprint: 88:7F:B2:88:15:20:0A:55:3F:DE:2A:36:2C:B1:52:50:F1:77:96:EA:79:75:A1:00:B9:D6:3E:0B:93:45:D8:1C
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate.
On the master:
puppet cert clean wordpress
On the agent:
1a. On most platforms: find /etc/puppetlabs/puppet/ssl -name wordpress.pem -delete
1b. On Windows: del "etcpuppetlabspuppetsslcertswordpress.pem" /f
2. puppet agent -t
Exiting; failed to retrieve certificate and waitforcert is disabled
The simple fix for this error is to simply clean the certificate on our Puppet Master before running the agent again, and also signing the certificate again, as follows:
[root@pe-puppet-master manifests]# puppet cert clean wordpress
Notice: Revoked certificate with serial 18
Notice: Removing file Puppet::SSL::Certificate wordpress at '/etc/puppetlabs/puppet/ssl/ca/signed/wordpress.pem'
Notice: Removing file Puppet::SSL::Certificate wordpress at '/etc/puppetlabs/puppet/ssl/certs/wordpress.pem'
Additionally, Puppet will not let us rerun the agent until we delete the certificate that was recently generated. The message provided by the error provides the best command to remove the certificate, so it can be regenerated on our agents: find /etc/puppetlabs/puppet/ssl -name <fqdn>.pem -delete. On most agents, it is actually safer to delete the entire SSL directory, with rm -rf /etc/puppetlabs/puppet/ssl.
Preventing this error is as simple as running puppet cert clean <nodename> on the Puppet Master, after decommissioning any node attached to the Puppet Master.