If you try to connect to a puppet master fort the first time using an agent that already has a signed cert on the master (this may happen if you need to wipe your agent but forget to revoke the dead agent’s cert on the master), you get the following:

/Users/matthewrobinson/work/puppet/lib/puppet/ssl/host.rb:166:in `certificate'
/Users/matthewrobinson/work/puppet/lib/puppet/ssl/host.rb:227:in `wait_for_cert'
/Users/matthewrobinson/work/puppet/lib/puppet/application/agent.rb:194:in `setup_host'
/Users/matthewrobinson/work/puppet/lib/puppet/application/agent.rb:259:in `setup'
/Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run'
/Users/matthewrobinson/work/puppet/lib/puppet/application.rb:420:in `hook'
/Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run'
/Users/matthewrobinson/work/puppet/lib/puppet/application.rb:411:in `exit_on_fail'
/Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run'
/Users/matthewrobinson/work/puppet/sbin/puppetd:4
err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from
 server and regenerate it with the current key

The error message should say which retrieved certificate (presumably it’s retrieving the the already signed cert for the old agent) and which private key (presumably it’s the private key that was generated before sending a CSR to the master) don’t match. This could be done by including the CN for the cert and some fingerprints or something so you can tell what doesn’t match what. And then some more detail on HOW to remove the certificate from the server would be helpful.