Puppet agent certificate verify failure

I have a Puppet Master/Agent set up, and have successfully signed the certificate for the agent on the master. However, when I run puppet agent --test I get a failure that looks like this:

Warning: Unable to fetch my node definition, but the agent run will continue:  
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=hostname.domain.com]  
Info: Retrieving plugin  
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=hostname.domain.com]  
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=hostname.domain.com] Could not retrieve file metadata for puppet://hostname.domain.com/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=hostname.domain.com]  
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=hostname.domain.com]  
Warning: Not using cache on failed catalog   
Error: Could not retrieve catalog; skipping run  
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate signature failure for /CN=hostname.domain.com]  

the hostname.domain.com is the master

How do I fix this? I've made sure that both clocks are at the correct time in the same time zone, I've deleted everything in the agent /var/lib/puppet/ssl directory and resigned, I don't know what else to do.


Re-create the entire client certificate setup. This has always fixed any cert issues we have experienced in the past. The following instruction assumes your agent's hostname is agenthost.hostname.com

On the client, delete all stored certs, including the CA:

find /var/lib/puppet/ssl -name '*.pem' -delete

On the master, delete any pending CSRs or old client certificates for this client:

find /var/lib/puppet/ssl -name agenthost.domain.com.pem -delete

Then, on the client, reconnect to the master and send a CSR:

puppet agent -t --waitforcert=60

and when it is waiting (if you have not set autosigning enabled) then on the master approve the CSR so a new client cert is sent back:

puppet cert sign agenthost.domain.com

This should make the agent re-download the puppet CA certificates, and re-apply for its own certificate.

We had to use this procedure in the past when we changed puppet servers and the CA certs changed, or when we rebuilt a host with the same hostname.

Make sure your agent knows its real fully-qualified hostname; use the 'hostname' command to ensure that it is what you expect it to be.


I have a similar problem. I have set up a vagrant environment with one puppetmaster and several clients. The problem is when I destroy and create the puppetmaster, clients detect the new puppetmaster as an impostor.

Deleting /etc/puppet/ssl on the client solves the problem.

Remember that your ssl configuration will be cached, so a restart of the puppet master is required, if you decide to also delete your /etc/puppet/ssl on that host:

sudo /etc/init.d/puppetmaster restart