[root@puppetdb ssl]# pwd /etc/puppetdb/ssl [root@puppetdb ssl]# cat puppetdb_keystore_pw.txt OT4*******************whT [root@puppetdb ssl]# keytool -list -keystore keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetdb.local, May 10, 2013, PrivateKeyEntry, Certificate fingerprint (MD5): 8A:70:DE:20:C1:4E:25:86:09:B0:EA:05:51:84:0E:D4 [root@puppetdb ssl]# keytool -list -keystore truststore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetdb ca, May 10, 2013, trustedCertEntry, Certificate fingerprint (MD5): E4:89:E7:73:91:BB:7B:A8:3C:9B:6C:3C:22:EE:F2:FF [root@puppetdb ssl]# puppet cert fingerprint --all --digest=md5 Error: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: 87:CF:8B:31:71:4F:1E:AF:AE:5A:FE:59:44:80:EE:04:61:54:85:30:00:0B:93:27:6B:FF:17:04:54:80:C2:12 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean puppetdb.local On the agent: rm -f /etc/puppet/ssl/certs/puppetdb.local.pem puppet agent -t [root@puppetdb ssl]# find /etc/puppet/ssl/ -iname "*puppetdb*" -delete [root@puppetdb ssl]# # On puppet master: puppet cert clean puppetdb.local [root@puppetdb ssl]# puppet agent -t Info: Creating a new SSL key for puppetdb.local Info: Creating a new SSL certificate request for puppetdb.local Info: Certificate Request fingerprint (SHA256): FC:0C:BE:B5:D0:DE:82:A2:66:1C:A7:69:CD:5A:48:7E:1B:C7:05:DC:88:FA:C2:E1:51:B2:B5:67:F4:AA:C5:00 Exiting; no certificate found and waitforcert is disabled [root@puppetdb ssl]# # On puppet master: sign [root@puppetdb ssl]# puppet agent -t Info: Caching certificate for puppetdb.local Info: Retrieving plugin Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb Info: Caching catalog for puppetdb.local Info: Applying configuration version '1368603115' Notice: Finished catalog run in 8.91 seconds [root@puppetdb ssl]# puppet cert fingerprint --all --digest=md5 Error: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: 87:CF:8B:31:71:4F:1E:AF:AE:5A:FE:59:44:80:EE:04:61:54:85:30:00:0B:93:27:6B:FF:17:04:54:80:C2:12 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean puppetdb.local On the agent: rm -f /etc/puppet/ssl/certs/puppetdb.local.pem puppet agent -t [root@puppetdb ssl]# facter fqdn puppetdb.local [root@puppetdb ssl]# puppet master --configprint hostcert /etc/puppet/ssl/certs/puppetdb.local.pem # ON PUPPET MASTER (gaia.local => puppet.local) [root@gaia ~]# cat /etc/puppet/puppetdb.conf [main] server = puppetdb.local port = 8081 [root@puppetdb ssl]# echo "GET /" | openssl s_client -connect puppetdb.local:8081 -vcert `puppet master --configprint hostcert` -key `puppet master--configprint hostprivkey` -CAfile `puppet master --configprint@ cacert` CONNECTED(00000003) depth=1 CN = Puppet CA: puppet.local verify return:1 depth=0 CN = puppetdb.local verify return:1 --- Certificate chain 0 s:/CN=puppetdb.local i:/CN=Puppet CA: puppet.local --- Server certificate -----BEGIN CERTIFICATE----- MII 3zCCA0igAwI AgIBHDANBgkqhk G9w0BAQsFADA MScwJQYDV QDDB5QdXBw ZXQ Q0E6IHB1cHB dC5rYWh1bmEubG jYWwwHhcNMTM NTA5MDcxO MyWhcNMTgw NTA MDcxODMyWjA MR4wHAYDVQQDDB wdXBwZXRkYi5 YWh1bmEub 9jYWwwggIi < edited MA0 CSqGSIb3DQE AQUAA4ICDwAwgg KAoICAQC6BUr BnY+n/6Xn 5U9u8zbm8Z D5y pfVoZzVzKi4 gjX4e0ICNVoZu2 eggxyULmHCQC dnMUIh9MZ W2M6pwMOR3 D5g tH5vjsDMaTG +Lz8DJtHTMJ9oo WpbJeH7Umimj UBE83tich PDIgSU19l9 YAy j8xwID4wYHE 16uH2Q7S8BNTA7 NNfQF999fhF4 OvQnNSDfH 9Vd6Xd4bFp Doc ixN8G5vL8mR 9V+yq0s6U/w7Fm 2TiOziOnbTnv Q/Sq9d6v/ SYMFcnUTaS Luh BOxSnK0T84I 4TUkDnEV/W/10R 7HDijKvRMHpq tW52kq0hG UWcSSCGt3M boR P3ba1HdFEGI 7xX3tmbZZnsgsW A2XZBrIUSSXE mJWsgdT6t XTOdhWmSWY XTb 6ktXMOrSwrw /igfQ8IBPSxluK V5Jx49Ofz/s+ UTMwWNjoa q3vTmaV6Cc SLG iMipVkqmqG3 plxi9gIVhS9iob mW14SIVeSi1w sg+CJDhKb RPY/DrqI4H Sxw Vd75jMtmb8p hnTb7SriwGvF9l jFRE5ovbJ1wR PUokKOfaE eraBCxD+Cq FH/ KeNi4/9FsPG VA0CtHGgrjpWtW VceBKM69k+OY 6SnoDcHDR F7WNehxBmE iJ+ 6QzUqPmr9V3 1wIDAQABo4GbMI YMCAGA1UdJQE /wQWMBQGC sGAQUFBwMB Bgg BgEFBQcDAjA BglghkgBhvhCAQ EKhYoUHVwcGV IFJ1YnkvT BlblNTTCBJ bnR cm5hbCBDZXJ aWZpY2F0ZTAMBg VHRMBAf8EAjA MB0GA1UdD QWBBRaLhVO xJa dB6WQhf3oJB Nz093zAOBgNVHQ BAf8EBAMCBaA DQYJKoZIh cNAQELBQAD gYE M0Hc5n+y+Hb 8XUr7YWrZSBQpE h1Jn2tgODl/W 8chHuVnhE uSoxoUrPJo 0Fc 0NmTn7IgLrT fWTFDMKLwcUoK8 59PsLMlGExhe cGvN+mTSD JvKtdjP9rx tga HCW6LyTrfvR Fxox+KLhS1SYi3 onsTRB1nvQlj e4s= -----END CERTIFICATE----- subject=/CN=puppetdb.local issuer=/CN=Puppet CA: puppet.local --- Acceptable client certificate CA names /CN=Puppet CA: puppet.local --- SSL handshake has read 2020 bytes and written 2397 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 51933F14DE49680F060599B58A92CDA729BBCE7C1B0DA4E15E499CFFAC9AB8EB Session-ID-ctx: Master-Key: D307255C234FFE464A84C3906469EA19BA22F30CB949DDC6C440EEB75B7C24A1D9F2E737A91918AD7A4D0E0EA7BD3C62 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1368604436 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE [root@puppetdb ssl]# exit