Issue #19680 has been updated by Jason Barnett.
I ran into this error when I copied over the ssl directory from a puppet master v2.7.20. I then started to start from a clean slate and I still ran into some weird issues... Running through the commands below, I can repeat the problem. "puppet ca list --all" won't work until I run "puppet cert list --all" [22:18:26 CDT] root@puppet001 [/etc/puppet]# puppet ca generate puppetca --dns-alt-names puppetca.domain.com,mypuppettest Notice: Signed certificate request for ca Notice: Rebuilding inventory file Notice: puppetca has a waiting certificate request Notice: Signed certificate request for puppetca Notice: Removing file Puppet::SSL::CertificateRequest puppetca at '/etc/puppet/ssl/ca/requests/puppetca.pem' Notice: Removing file Puppet::SSL::CertificateRequest puppetca at '/etc/puppet/ssl/certificate_requests/puppetca.pem' "-----BEGIN CERTIFICATE-----\nMIIFjDCCA3SgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAqMSgwJgYDVQQDDB9QdXBw\nZXQgQ0E6IHB1cHBldDAwMS5zcGlnaXQuY29tMB4XDTEzMDgwODAzMTg0OVoXDTE4\nMDgwODAzMTg0OVowEzERMA8GA1UEAwwIcHVwcGV0Y2EwggIiMA0GCSqGSIb3DQEB\nAQUAA4ICDwAwggIKAoICAQDg6nX0f3gFTpBwSqg9Fyj20tpvnRSVNVI1wzbmVDzJ\nteLWdO2O4Sdp/I1nhgtm8ybXHAB+3iCblm14JgRaKAtoTfkVpsXUXrKqfMNJz8e0\nl7cVD1ksWBywqOoenXFmcio3GJTKKo34LYsI3dJ+cx9lGdOCUT9lkjRLo4D1oCPx\nRcwvxxFog07a0mYQMWrYGl/vZ84NFI5tbHqYu5JRlzN2QoS2tmayjSXM6cp/xMNX\nX1/WMYcNAnGPGzJlcuw9mrXojK+7yw7d22ucWMAkIHVYLnUd6SIkABoVkLltNA5J\n0h8eJFYWCqCu0lrVt3gp0931steSeourtuwWayQr/T9g1mXQDcfq9DZLyYmnWmvL\nstSCgcROkTN9qlHfJOmJu6kA6eA04gebHra6Dy+HdwesyAF2pDKueZiBV4p9xOs2\nzskQI5vgfLLhyzH0l/y8kCVXRkwgL6QfIgJWIUO03qh2dS5tG+707XKUW2/UK9eD\n4UvUrjpn4x8B1RBVzTmkSJU+iNrjeoXlNMutSOYfr3cP7pKQEnWKJdfJKxiwz0ln\ngMSZdSFNf33wWMAP7UkJfEoIUSpxreA8WosZLYl6sAUkrF9rVtq+f7Xq5vbLukvd\ned7h6f63RKAhUtoFwsV4EgRuivfvAOfDCYIOqNPRvhRryo0wrUSUxOYN4xzGu75z\nuwIDAQABo4HTMIHQMDcGCWCGSAGG+EIBDQQq FihQdXBwZXQgUnVieS9PcGVuU1NM\nIEludGVybmFsIENlcnRpZmljYXRlMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8E\nAjAAMB0GA1UdDgQWBBRUaCJ4BAjdCl5fdMnA7lZ63SHqfTAgBgNVHSUBAf8EFjAU\nBggrBgEFBQcDAQYIKwYBBQUHAwIwNgYDVR0RBC8wLYIMbXlwdXBwZXR0ZXN0gghw\ndXBwZXRjYYITcHVwcGV0Y2EuZG9tYWluLmNvbTANBgkqhkiG9w0BAQsFAAOCAgEA\nXOB8KzJLpAAj/Pa3FJmFxVXiI6DmHKgnvHcp+H0kNKqYL31hlQ2qU1Bno417xwTJ\nJHvVEHx43MOsl0RWF9+LPVhR81YqGG/4JVU/7M4k07wmaJBcLm+puGxwx7aGElx6\nqZFTgd+n5UhUUvqkJM97EzpTfPzronin4oTm9Ptyy4pnMLt7rIgecCw6ihmHU4Do\nxUcO6zjtzk2zZQVkFgAjPwNZd0Znz8oHmu3aYAQz1whLI2ygzU6d177pKiaMXCGR\nudBEbx+xhDS52Kw48cVK3ueI8O4Bq5vsm2EzSXn7himZRPS88/Z8+E0/WRb4LamG\n8wZaO+Ojn6adXhxbRwpP8o/tAtzCS7sAoqUiOaKl92uJCUSoT+Z5B1LIqffjtKFt\nX8L+gvZa/d5PErz4RWQSfjgJICWcLdvYAjVEiEp3boz4ZgRuXP6aVKcZ5dlM83W+\nQJojQFifJt0EjPax/pS6TOKEE2sgOw9I1HP4HpKwNOOpILgsA8lIvXHphz4/g7en\nqtBRp8J8yw6z0GQWF8+lZzTGrCPVz8FQpVKLePVcY2Owwy5ZElHFSV/Q8a4KZnur\nOPSPDg8Ni3csqEZ9M4CTt3B6OsO1Mebn8yU8MBY8bJMcJzwkv8PDQXaxOCviPaMt\nR66gBhdz2UTylK0pkmHuZnK+YvoKpecBpUn b9+qIEWw=\n-----END CERTIFICATE-----\n" [22:18:49 CDT] root@puppet001 [/etc/puppet]# puppet ca list --all Error: system lib Error: Try 'puppet help ca list' for usage [22:18:54 CDT] root@puppet001 [/etc/puppet]# puppet cert list --all Notice: Signed certificate request for ca + "puppetca" (SHA256) 09:3D:1E:E4:2E:44:95:2F:3A:23:64:02:2C:0E:0E:CB:F3:A6:1B:EF:12:FE:FC:4D:55:A8:3E:6B:D7:17:00:EB (alt names: "DNS:mypuppettest", "DNS:puppetca", "DNS:puppetca.domain.com") [22:19:00 CDT] root@puppet001 [/etc/puppet]# puppet ca list --all + puppetca (SHA256) 09:3D:1E:E4:2E:44:95:2F:3A:23:64:02:2C:0E:0E:CB:F3:A6:1B:EF:12:FE:FC:4D:55:A8:3E:6B:D7:17:00:EB [22:19:03 CDT] root@puppet001 [/etc/puppet]# puppet --version 3.2.3 ---------------------------------------- Bug #19680: puppet ca list --all fails with "Error: The certificate retrieved from the master does not match the agent's private key." https://projects.puppetlabs.com/issues/19680#change-96217 * Author: Deven Phillips * Status: Investigating * Priority: Normal * Assignee: Andrew Parker * Category: SSL * Target version: * Affected Puppet version: 3.1.0 * Keywords: ca cert certificate private_key mismatch * Branch: ---------------------------------------- On my puppetmaster server (using Apache, PhusionPassenger, puppet 3.1.0-1 on Debian Squeeze), attempting to run "puppet ca list --all" fails with: Error: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: [[REDACTED]] To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean [[REDACTED]] On the agent: rm -f /etc/puppet/ssl/certs/[[REDACTED]].pem puppet agent -t Error: Try 'puppet help ca list' for usage I have used "openssl x509 -in /path/to/cert.pem -fingerprint -md5 -nooout" to check the fingerprints on all certs and they DO match. Additionally, running "puppet cert list --all" works without issue. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
