The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #7109

Agent retrieving a cert with an already used certname gets error

Added by Matt Robinson about 5 years ago. Updated about 4 years ago.

Status:AcceptedStart date:04/14/2011
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Affected Puppet version: Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:


If agent ‘foo’ already has already received a signed cert back from the Puppet CA, and then a second agent asks for a cert with the certname ‘foo’ you get the following:

/Users/matthewrobinson/work/puppet/lib/puppet/ssl/host.rb:166:in `certificate'
/Users/matthewrobinson/work/puppet/lib/puppet/ssl/host.rb:227:in `wait_for_cert'
/Users/matthewrobinson/work/puppet/lib/puppet/application/agent.rb:194:in `setup_host'
/Users/matthewrobinson/work/puppet/lib/puppet/application/agent.rb:259:in `setup'
/Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run'
/Users/matthewrobinson/work/puppet/lib/puppet/application.rb:420:in `hook'
/Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run'
/Users/matthewrobinson/work/puppet/lib/puppet/application.rb:411:in `exit_on_fail'
/Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run'
err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from
 server and regenerate it with the current key

However, if you manually generate certificate request using either the new face ‘puppet certificate generate hostname —ca-location remote —server Name_of_Puppet_Master’ or curl (haven’t actually tested with curl, but it’s basically the same as the face), you’re allowed to make a new CSR with the same name as a cert that’s already signed.

The question here seems to be, should the agent be fixed to allow this kind of behavior since it’s possible with more manual means?

Related issues

Related to Puppet - Bug #3360: Add a flag to make puppet ca behavior on receipt of dupli... Closed 03/09/2010
Related to Puppet - Bug #7110: Better SSL error message when retrieved certificate does ... Closed 04/14/2011


#1 Updated by James Turnbull about 5 years ago

  • Assignee set to Nigel Kersten

#2 Updated by Nigel Kersten about 5 years ago

  • Status changed from Needs Decision to Accepted
  • Assignee changed from Nigel Kersten to Matt Robinson

I’m assuming we’re talking about situations only where allow_duplicate_certs is on. If so, then we should fix the agent to allow this behavior. Does that answer it sufficiently Matt?

#3 Updated by Nigel Kersten almost 5 years ago


#4 Updated by Anonymous over 4 years ago

Closed ?

Should this be closed now that #7110 has been merged in?

#5 Updated by Anonymous about 4 years ago

  • Assignee deleted (Matt Robinson)

Also available in: Atom PDF