Running puppet agent on client of Red Hat Satellite 6 fails with: Error: The certificate retrieved from the master does not match the agent's private key

Solution Verified - Updated

Environment

  • Red Hat Satellite 6
  • Red Hat Enterprise Linux Server 8, 7

Issue

  • When running puppet agent -tv the following error is found:
    The certificate retrieved from the master does not match the agent's private key

Resolution

  • Go to the Satellite WEBUI > Infrastructure > Capsules > Certificates(puppet master)
    - click accept and delete the cert of affected puppet_agent.fqdn

For puppet 4 or puppet 5

  • On Satellite Command Prompt, please run this command:
# puppet cert clean puppet_agent.fqdn

then verify that the host does not show up:

# puppet cert list --all

For puppet 6+:

  • On Satellite Command Prompt, please run this command:
# puppetserver ca list --all | grep  puppet_agent.fqdn
# puppetserver ca clean --certname puppet_agent.fqdn

then verify that the host does not show up:

# puppetserver ca list --all | grep puppet_agent.fqdn

Next, on the client, puppet_agent.fqdn:

  • Run the following command for RHEL 7:

     # rm -rf /etc/puppetlabs/puppet/ssl/*

    and for RHEL 8:

    # rm -rf /opt/puppetlabs/puppet/cache/ssl/* /etc/puppetlabs/puppet/ssl/*

  • Make sure that:

    • Satellite 6 and client "puppet_agent.fqdn" have correct date/time and it's in sync
    • The /etc/puppetlabs/puppet/puppet.conf on client only has the below field
      server = satellite.example.com
      comment out other fields and then try again the command:
# puppet agent -tv
  • Go to the Satellite WEBUI > Infrastructure > Capsules > Certificates(puppet master)
    - sign the cert of puppet_agent.fqdn
    or Go to Satellite console:
  # puppet cert --list
  # puppet cert sign "TheHostname"
  • Then go back to the client and run this command again:
# puppet agent -tv

For more KB articles/solutions related to Red Hat Satellite 6.x Puppet Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Puppet Issues

Diagnostic Steps

  • Go to the Satellite WEBUI > Hosts > All hosts > click system "rhel_client.fqdn"

    • click accept and delete the cert

  • On Satellite Command Prompt, please run this command:

  # puppet cert clean rhel_client.fqdn

then verify that the host does not show up:

  # puppet cert list --all
  • On the client, rhel_client.fqdn
  # rm -rf /var/lib/puppet/ssl
  • Make sure that Satellite 6 and client "rhel_client.fqdn" have correct date/time and it's in sync, then try again the command:
   # puppet agent -tv
  • Go to the Satellite WEBUI > Hosts > All hosts > click system "rhel_client.fqdn"
    • sign the cert
      or Go to Satellite console:
# puppet cert --list 
# puppet cert sign "TheHostname"
  • Then go back to the client and run this command again:
   # puppet agent -tv -o
SBR
Product(s)
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.