Puppet Error with Receiving Certificate Between Local Agent and Puppet Master

Mindwatering Incorporated

Author: Tripp W Black

Created: 04/02/2021 at 12:28 PM

 

Category:
General Web Tips
Other

Error:
Exiting; failed to retrieve certificate and waitforcert is disabled
Could not request certificate: The certificate retrieved from the master does not match the agent's private key. Did you forget to run as root?


Possible Solutions:
1. Sudo promotion failed for the system id being used? This would be the obvious "did you forget to run as root".

2. Was another previous machine already provisioned with that same hostname?
e.g. This is similar to the SSH client issue to a server that was swing upgrade from RHAT 6 to RHAT 7, for example, where the new VM has a new key, but has the same IP and address of the previous VM.
For this error, manually remove the botched/old cert from the client agent, and the puppet master's agent node list.

3a. Bad configuration or DNS for the puppet master puppet.conf with the [master] and [agent] domain entries, where they don't match the environment's DNS. Was the VM moved to a new domain?

3b. Another version of 3, where the firstboot.sh doesn't properly setup puppet.conf agent. Did the script fail to run. What is in the /var/log/messages, etc.?
Causes could be LDAP and AD issues.

Commands to reset/remove/replace certs between

Puppet Master Removal of Node (VM) Hostname
$ sudo puppet cert clean "vmhostname"

Puppet Agent Cert Removal on VM Node:
$ sudo rm -f /etc/puppetlabs/puppet/ssl/certs/vmhostname
$ find /var/lib/puppet -name vmhostname -delete
$ puppet agent -t


To Re-add a VM Hostname to Master:
$ puppet cert --list
$ puppet cert --sign "vmhostname"
Back on the VM node:
$ puppet agent -t


To manually update the puppet.conf (instead of firstboot.sh):
/etc/puppetlabs/puppet/
$ sudo vi puppet.conf
[master]
certname=vmpuppetmaster.mindwatering.net
[agent]
certname=vmhostname.mindwatering.net



previous page