Puppet: Retrieved certificate does not match private key

Posted on August 7, 2010 by Matt

I’ve been playing around with puppet recently and while trying to start up a client and get it to talk to the server I ran into this error:

err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key

Apparently the root cause of this error is that the client’s ssl certificates have been messed up.

To fix it you have to remove all of the client’s ssl stuff – cd into the directory containing all the ssl info – /etc/puppet/ssl for me running a manual install of puppet 2.6 – and remove all files, in all sub-directories, apart from ‘ca/serial’, which should contain 0000.

Then on the server revoke the client’s ssl certificate using:

sudo pupetca --clean {client hostname}

Then restart the client, resign it on the server and you’re good to go!

This entry was posted in Virtualisation, Web Servers and tagged , . Bookmark the permalink.
  • Sanjiv Singh

    hi ,
    im facing the same problem , when tryied to run puppetd…..

    err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key

    and after that as per yr guide…

    $ puppetca –clean app-1288002665

    here , app-1288002665 is client certificate signed priorly….
    but ,

    still thr is same problen…..im showing U full trace….

    # puppetd –test –debug
    debug: Puppet::Type::User::ProviderLdap: true value when expecting false
    debug: Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist
    debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist
    debug: Puppet::Type::User::ProviderPw: file pw does not exist
    debug: Failed to load library ‘ldap’ for feature ‘ldap’
    debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet]
    debug: /File[/var/lib/puppet/client_yaml]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/puppet/ssl/certs]
    debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/ssl/public_keys/app-1288002665.pem]: Autorequiring File[/etc/puppet/ssl/public_keys]
    debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/namespaceauth.conf]: Autorequiring File[/etc/puppet]
    debug: /File[/var/lib/puppet/state/state.yaml]: Autorequiring File[/var/lib/puppet/state]
    debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
    debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
    debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet]
    debug: /File[/var/lib/puppet/state/graphs]: Autorequiring File[/var/lib/puppet/state]
    debug: /File[/var/lib/puppet/clientbucket]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/certs/app-1288002665.pem]: Autorequiring File[/etc/puppet/ssl/certs]
    debug: /File[/etc/puppet/ssl/private_keys/app-1288002665.pem]: Autorequiring File[/etc/puppet/ssl/private_keys]
    debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/ssl/private_keys/app-1288002665.pem]: Changing mode
    debug: /File[/etc/puppet/ssl/private_keys/app-1288002665.pem]: 1 change(s)
    debug: /File[/etc/puppet/ssl/private_keys/app-1288002665.pem]/mode: mode changed ’640′ to ’600′
    debug: Time for triggering 1 events to edges: 8.79764556884766e-05
    debug: Finishing transaction 69882896755540 with 1 changes
    debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet]
    debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/ssl/certs/app-1288002665.pem]: Autorequiring File[/etc/puppet/ssl/certs]
    debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/puppet/ssl/certs]
    debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
    debug: /File[/etc/puppet/namespaceauth.conf]: Autorequiring File[/etc/puppet]
    debug: /File[/etc/puppet/ssl/private_keys/app-1288002665.pem]: Autorequiring File[/etc/puppet/ssl/private_keys]
    debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet]
    debug: /File[/var/lib/puppet/run]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/puppet/ssl]
    debug: /File[/var/lib/puppet/log]: Autorequiring File[/var/lib/puppet]
    debug: /File[/etc/puppet/ssl/public_keys/app-1288002665.pem]: Autorequiring File[/etc/puppet/ssl/public_keys]
    debug: Finishing transaction 69882896182500 with 0 changes
    debug: Using cached certificate for ca
    debug: Using cached certificate for app-1288002665
    err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key
    Exiting; failed to retrieve certificate and waitforcert is disabled

    :
    :

    • chetan patel

      my ssl certificate mismatch problem so help me

  • http://twitter.com/KosmikDebris Rob Berkes

    Thanks! Worked great for me, the directory for RHEL is /var/lib/puppet/ssl/ btw,

  • victor

    I also setup the puppet module to self restart the puppet service after puppet.conf is changed and it works great …

    but why do I get this error on puppet kick `hostname -f`

    I know this works on the on VM lab manager but broken on the new VM lab manager
    and the only difference that I suspect is causing this probelm is

    $ hostname
    puppet

    versus

    $ hostname -f
    puppet.lab.xxx.net

    so I’m going to edit hostname in /etc/sysconfig/network and reboot machine.

  • Mike

    I only had to clear the certs from /var/lib/puppet/ssl/certs on the box (centos) but didnt need to clean the puppet master which worked fine for me

  • Pingback: Instalação do Puppet no CentOS « GNU/Linux-BR.com

  • Lucas

    I got the same problem and it was solved after cleaning certifcates’ directory on both machines: master and client.

    • Chris

       This helped me. Thank you!

    • Cheenukar

      Yep, that helped (cleaning in both) and regenarting the new certs
      In the puppet master do this
      find $(puppet master –configprint ssldir) -name “$(puppet master –configprint certname).pem” -delete service puppet stop run puppet master –no-daemonize –verbose**** Press Ctl+Z  -  kill this when you see starting puppet version xxxx, then run the following service puppetmaster status service puppetmaster start service puppet start ps -ef | grep puppet puppetca –clean clienthostname

  • Sink99

    Should be 

    sudo puppetca –clean {client hostname}

  • Jurrit

    quick note for debian stable users if you want to start over: apt-get –purge remove puppet && rm -rf /etc/puppet && rm -rf /var/lib/puppet

  • Makhan628

    Hi guys I am having certificate errors; when I try to use “puppetca –clean hotname” I get this error message. I have also tried to delete the /var/lib/puppet/ssl folder on client but no results:
    Command #puppetca –clean clientname
    notice: Revoked certificate with serial # Inventory of signed certificates

    # SERIAL NOT_BEFORE NOT_AFTER SUBJECT
    Please help

  • http://tribily.com Walter Heck

    Pretty embarassed to say, but it might help others: I got this error when trying to run ‘puppetd -t’ as non-root user. Hope it can help others..

  • mk

    Is there any way to automate the process instead of a manual process of removing the certficates from the client & master.
    Thanks

  • Pingback: Technology And Software » Solving "Retrieved certificate does not match private key" | That Matt

  • Anonymous

    No effect.

    The Puppet certificate management system is a holy fucking nightmare to actually use. Puppet Labs should be utterly ashamed that it is so bad.

    • Chris

       Puppet’s functionality is great, but this is so true. I probably won’t use it again after this project.

  • Frederick

    Thanks, this worked for me.

  • http://twitter.com/luke_vidler Luke Vidler

    To do this on the Open Source version of Puppet:
    Server: puppet cert –clean {client hostname}
    Client: find /var/lib/puppet -type f -print0 |xargs -0r rm

  • Pingback: >_Puppet | >_Tutoriais GNU Linux