Hi I''ve been struggling with Puppet 3.3.0 in what appears to be a bug so I''m hoping this post invites some assistance. My setup is 100% stock standard default..... with the exception of a single dns entry (cname) of "puppet" which point to my master "adm6....." I ''ve been running puppet 2.7.23 without any problems and decided to upgrade to the latest version. In order to test 3.3.0, I installed to new RHEL 6.4 boxes, added the puppetlabs-products repository and installed the latest puppet (3.3.0) Everything appears to work ...until I sign a test clients key.... immediately after singing a client key, the puppetmaster (adm6.xx.xx.xx) decided that I need to clean it''s OWEN client key. [root@puppetmaster ~]# [root@puppetmaster ~]# [root@puppetmaster ~]# puppet ca list --all + adm6.xxx.xxx.xxx (SHA256) 9B:71:FB:A4:C2:06:F2:83:3E:40:55:CF:41:39:91:4F:F7:5C:45:8D:79:8E:D3:68:63:FD:B0:14:A6:AC:FE:59 bbushby-linux.xxx.xxx.xxx (SHA256) FF:11:53:FE:3C:85:75:33:2E:C0:8A:A1:00:BD:23:96:62:73:64:1F:8B:C8:5C:7D:65:7D:04:7F:8F:89:89:13 [root@puppetmaster ~]# [root@puppetmaster ~]# puppet cert list "bbushby-linux.xxx.xxx.xxx" (SHA256) FF:11:53:FE:3C:85:75:33:2E:C0:8A:A1:00:BD:23:96:62:73:64:1F:8B:C8:5C:7D:65:7D:04:7F:8F:89:89:13 [root@puppetmaster ~]# [root@puppetmaster ~]# puppet cert sign bbushby-linux.xxx.xxx.xxx Notice: Signed certificate request for bbushby-linux.xxx.xxx.xxx Notice: Removing file Puppet::SSL::CertificateRequest bbushby-linux.xxx.xxx.xxx at ''/var/lib/puppet/ssl/ca/requests/bbushby-linux.xxx.xxx.xxx.pem'' [root@puppetmaster ~]# [root@puppetmaster ~]# puppet cert list -all + "adm6.xxx.xxx.xxx" (SHA256) 9B:71:FB:A4:C2:06:F2:83:3E:40:55:CF:41:39:91:4F:F7:5C:45:8D:79:8E:D3:68:63:FD:B0:14:A6:AC:FE:59 (alt names: "DNS:xxx.xxx.xxx.xxx", "DNS:puppet", "DNS:puppet.xxx.xxx.xxx") + "bbushby-linux.xxx.xxx.xxx" (SHA256) B5:B7:2D:44:52:07:CA:DC:5C:99:3A:AC:24:29:85:A6:88:E9:0C:3B:54:30:71:4D:D0:FC:DC:3A:D5:E8:E2:52 [root@puppetmaster ~]# [root@puppetmaster ~]# puppet ca list --all Error: The certificate retrieved from the master does not match the agent''s private key. Certificate fingerprint: B5:B7:2D:44:52:07:CA:DC:5C:99:3A:AC:24:29:85:A6:88:E9:0C:3B:54:30:71:4D:D0:FC:DC:3A:D5:E8:E2:52 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean adm6.xxx.xxx.xxx On the agent: rm -f /var/lib/puppet/ssl/certs/adm6.xxx.xxx.xxx.pem puppet agent -t Error: Try ''puppet help ca list'' for usage [root@puppetmaster ~]# I have tried so many different setups, fresh OS installs ... all of it and I am unable to sign a key and then run "pupppet ca list --all" Anybody else have this issue? Both my machines are RHEL 6.4 Both have ntp and correct UTC time Both have exact same versions of rpms (puppetmaster has an extra rpm "puppet-server") I then dropped my puppet and puppet-server versions down to 3.2.4 ....same problem (now I''m wondering if it is a bug...since it''s happening across versions) These people appear to experience similar problems: http://www.mail-archive.com/puppet-bugs@googlegroups.com/msg46757.html http://projects.puppetlabs.com/issues/19680 http://comments.gmane.org/gmane.comp.sysutils.puppet.user/46356 http://thr3ads.net/puppet-users/2012/12/2238067-puppet-ca-list-all-ERROR http://thr3ads.net/puppet-users/2007/10/186450-puppetca-is-unable-to-sign-certificate Any ideas? Thanks Bruce -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.