Freshly installed Puppet Environment not working, CSR not matching public key

Question

I want to play around with puppet, so I set up a small test environment, consisting of 4 VMs

• pfSense: Router
• Windows Server 2012 R2: DNS, DHCP
• Ubuntu Server 16.04: Puppetmaster
• Ubuntu Server 16.04: Puppet agent

DNS is set up correctly, it answers all forward- and reverse lookups correctly.

Here is the set of command I executed on both of the ubuntu vms (base configuration)

sudo dpkg-reconfigure keyboard-configuration
sudo apt-get install -y vim openssh-server ntp
sudo dpkg-reconfigure tzdata

vi /etc/hostname (set to puppet / puppetclient)
sudo reboot now

wget https://apt.puppetlabs.com/puppetlabs-release-pc1-xenial.deb
sudo dpkg -i puppetlabs-release-pc1-xenial.deb
sudo apt-get update

And then on the master:

sudo apt-get -y install puppetserver
sudo /opt/puppetlabs/bin/puppet resource service puppetserver ensure=running enable=true
sudo service puppetserver restart

The puppetserver-service is running nicely (after assignign 6GB of RAM to the VM ;))

On the client:

sudo apt-get install puppet-agent
sudo /opt/puppetlabs/bin/puppet resource service puppet ensure=running enable=true

On the client, I then do a:

puppet agent --server puppet.puppet.intra --waitforcert 60 --test

This is answered by

Error: Could not request certificate: The CSR retrieved from the master does not match the agent's public key.
CSR fingerprint: 82:F5:08:CC:98:8A:D1:8F:EC:3D:B0:F7:5B:EB:43:FC:FC:0D:95:30:E8:6F:7F:81:9E:1B:02:CB:A4:01:0E:50
CSR public key: Public-Key: (4096 bit)
Modulus:
    ...
Exponent: 65537 (0x10001)

Agent public key: Public-Key: (4096 bit)
Modulus:
    ...
Exponent: 65537 (0x10001)

To fix this, remove the CSR from both the master and the agent and then start a puppet run, which will automatically regenerate a CSR.
On the master:
  puppet cert clean puppetclient.puppet.intra
On the agent:
  1a. On most platforms: find /home/administrator/.puppetlabs/etc/puppet/ssl -name puppetclient.puppet.intra.pem -delete
  1b. On Windows: del "\home\administrator\.puppetlabs\etc\puppet\ssl\certs\puppetclient.puppet.intra.pem" /f
  2. puppet agent -t

Of course, I executed the proposed troubleshooting steps, without result. I further checked:

• I can open port 8140 on the server
• the time settings to match
• both machines have the correct hostname set and are resolved by the dns correctly

What am I doing wrong?

Regards, Christian

Edit

I just realized something: It seems like the problem only occurs when I try to run puppet as a different user than I installed it with.
I wanted to run puppet agent -t as root with sudo on an OS X client and got the error message described earlier. When I run puppet as the user I installed it with, the error doesn't occur.

How can I fix this?

Answer 1

TLDR: Use sudo all the time or login as root directly (not recommended though)

Okay, seems like this was my fault: I am not 100 percent sure, but I maybe installed puppet as root (via sudo), did the CSR as a normal user and afterwards tried to run it as root again.

It seems like I should have used sudo / root all the time because after I removed the certificates from the client and server like this:

    To fix this, remove the CSR from both the master and the agent and then start a puppet run, which will automatically regenerate a CSR.
    On the master:
    puppet cert clean puppetclient.puppet.intra
    On the agent:
    1a. On most platforms: find /home/administrator/.puppetlabs/etc/puppet/ssl -name puppetclient.puppet.intra.pem -delete
    1b. On Windows: del "\home\administrator\.puppetlabs\etc\puppet\ssl\certs\puppetclient.puppet.intra.pem" /f
    2. puppet agent -t

And then redid the CSR as root, everything seems to be working fine now.