Puppet - Resolve "The certificate retrieved from the master does not match the agent's private key"

by
Jeremy Canfield |
Updated: September 19 2023
| Puppet articles
This error appears when running the puppet agent -t command on a Puppet Agent. In this example, let's say the hostname of the Puppet Agent is host1.
[john.doe@server1 ~]# puppet agent -t
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: A1:B2:C3:D4:E5:F6:A1:B2:C3:D4:E5:F6:A1:B2:C3:D4:E5:F6:A1:B2:C3:D4:E5:F6:
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerated a certificate.
On the master:
puppet cert clean host1
On the agent:
1a. On most platforms: find /home/john.doe/.puppetlabs/etc/puppet/ssl -name host1.pem -delete
1b. On Windows: del "\home\john.doe\.puppetlabs\etc\puppet\ssl\certs\host1.pem" /f
2. puppet agent -t
Exiting; failed to retrieve certificate and waitforcert is disabled
On the Puppet Master, the certificate are located at /etc/puppetlabs/puppet/ssl/ca/signed/example.pem and /etc/puppetlabs/puppet/ssl/certs/example.pem. Remove these two certificates from the Puppet Master.
[john.doe@server1 ~]# puppet cert clean host1
Notice: Removing file Puppet::SSL:Certificate host1 at '/etc/puppetlabs/puppet/ssl/ca/signed/example.pem'
Notice: Removing file Puppet::SSL::Certificate host1 at '/etc/puppetlabs/puppet/ssl/certs/example.pem'
On the Puppet Agent, the certificate is located at /etc/puppetlabs/puppet/ssl/certs/example.pem. Remove this certificate.
[john.doe@server1 ~]# sudo rm /etc/puppetlabs/puppet/ssl/certs/host1.pem
Did you find this article helpful?
If so, consider buying me a coffee over at