When setting up a new Puppet agent node named 'itai-test', you encounter a paradox where:

puppet cert --generate itai-test.domain
Error: A Certificate already exists for itai-test.domain

puppet cert --sign itai-test.domain  
Error: Could not find certificate request for itai-test.domain

This indicates a broken SSL state where:

• The master believes a certificate exists (possibly from previous attempts)
• No valid CSR exists in /etc/puppetlabs/puppet/ssl/ca/requests
• The agent can't get its certificate signed

First, remove all traces on both master and agent:

On Puppet Master:

puppet cert clean itai-test.domain
find /etc/puppetlabs/puppet/ssl -name itai-test.domain -exec rm -rf {} +
systemctl restart puppetserver

On Agent Node:

rm -rf /etc/puppetlabs/puppet/ssl
puppet ssl bootstrap --server puppetmaster.domain --waitforcert 60

Check certificate signing status:

puppet cert list --all
+ "itai-test.domain" (SHA256) 00:11:22:33:44:55...

Test agent communication:

puppet agent --test --server puppetmaster.domain
Info: Using configured environment 'production'
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Caching catalog for itai-test.domain

• Always clean old certificates before regeneration
• Use puppet ssl submit_request for explicit CSR submission
• Check master's CA certificate expiration date
• Verify DNS resolution works bidirectionally

When setting up a new Puppet client ('itai-test') to communicate with the puppetmaster server, certificate issues can be particularly frustrating. The error messages suggest a broken trust chain between client and server:

[root@puppetmaster requests]# puppet cert --generate itai-test.domain
Error: A Certificate already exists for itai-test.domain
[root@puppetmaster requests]# puppet cert --sign itai-test.domain
Error: Could not find certificate request for itai-test.domain

The server indicates a certificate exists but can't find the corresponding request, while the client keeps waiting indefinitely:

[root@itai-test temp]# puppet agent --server puppetmaster.domain --waitforcert 60 --test
Notice: Did not receive certificate
Notice: Did not receive certificate

First, we need to clean up all certificate artifacts on both ends. On the puppetmaster:

# Remove all traces of the client certificate
puppet cert clean itai-test.domain
rm -f /var/lib/puppet/ssl/ca/signed/itai-test.domain.pem
rm -f /var/lib/puppet/ssl/ca/requests/itai-test.domain.pem

On the client machine:

# Wipe the local SSL directory
rm -rf /var/lib/puppet/ssl
# Or for newer Puppet versions:
rm -rf /etc/puppetlabs/puppet/ssl

After cleanup, restart the process properly:

# On the client:
puppet agent --test --server puppetmaster.domain --waitforcert 60

# On the server, check for the new request:
puppet cert list
# Then sign it:
puppet cert sign itai-test.domain

Verify basic connectivity between client and server:

ping puppetmaster.domain
telnet puppetmaster.domain 8140
openssl s_client -connect puppetmaster.domain:8140 -showcerts

• Time synchronization issues: Ensure NTP is running on both systems
• DNS resolution: Verify forward and reverse DNS records match
• Firewall rules: Port 8140 must be open between client and server
• Certificate SANs: Check for mismatched subject alternative names

For larger deployments, consider using autosign or policy-based autosign:

# In puppet.conf on master:
[master]
autosign = true
# OR for policy-based:
autosign = /etc/puppetlabs/puppet/autosign.sh

Remember that proper certificate management is crucial for Puppet's security model. Always clean up old certificates properly and verify the complete chain of trust between client and server.