Puppet Server hostname 'puppetmaster' did not match server certificate

Question

I'm trying to install puppet7 master and a client on 2 VirtualBox VM's following this guide https://tecadmin.net/how-to-install-puppet-on-ubuntu-20-04/. When I start puppet on the client I get this error. Note the trailing period.

Server hostname 'puppetmaster' did not match server certificate; expected one of puppetmaster.

Listing certnames on the master

sudo /opt/puppetlabs/bin/puppetserver ca list --all 
Signed Certificates:
    puppetmaster.   

How can I fix the mismatch?

edit: Attempting to run the commands suggested below I get

mark@puppetmaster:~$ puppetserver ca clean --certname puppetmaster.
Traceback (most recent call last):
    9: from /opt/puppetlabs/server/apps/puppetserver/cli/apps/ca:5:in `<main>'
    8: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/cli.rb:100:in `run'
    7: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/action/clean.rb:91:in `run'
    6: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/action/clean.rb:103:in `clean_certs'
    5: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/action/clean.rb:103:in `new'
    4: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/certificate_authority.rb:26:in `initialize'
    3: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/certificate_authority.rb:26:in `new'
    2: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/utils/http_client.rb:25:in `initialize'
    1: from /opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/utils/http_client.rb:156:in `make_store'
/opt/puppetlabs/puppet/lib/ruby/vendor_gems/gems/puppetserver-ca-2.3.6/lib/puppetserver/ca/utils/http_client.rb:156:in `add_file': system lib (OpenSSL::X509::StoreError)
mark@puppetmaster:~$ sudo puppetserver ca clean --certname puppetmaster.
[sudo] password for mark: 
sudo: puppetserver: command not found

I successfully ran the commands in the answer but the incorrect certificate was not removed.

mark@puppetmaster:~$ sudo -i
[sudo] password for mark: 
root@puppetmaster:~# puppetserver ca clean --certname puppetmaster.
Certificate for puppetmaster. has been revoked
Cleaned files related to puppetmaster.
root@puppetmaster:~# puppet ssl clean
Notice: Removed private key /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster..pem
Notice: Removed public key /etc/puppetlabs/puppet/ssl/public_keys/puppetmaster..pem
Notice: Removed certificate /etc/puppetlabs/puppet/ssl/certs/puppetmaster..pem
root@puppetmaster:~# puppet resource service puppetserver ensure=stopped
Notice: /Service[puppetserver]/ensure: ensure changed 'running' to 'stopped'
service { 'puppetserver':
  ensure   => 'stopped',
  provider => 'systemd',
}
root@puppetmaster:~# puppetserver ca generate --certname puppetmaster --ca-client
Successfully saved certificate for puppetmaster to /etc/puppetlabs/puppet/ssl/certs/puppetmaster.pem
Successfully saved certificate for puppetmaster to /etc/puppetlabs/puppetserver/ca/signed/puppetmaster.pem
Successfully saved private key for puppetmaster to /etc/puppetlabs/puppet/ssl/private_keys/puppetmaster.pem
Successfully saved public key for puppetmaster to /etc/puppetlabs/puppet/ssl/public_keys/puppetmaster.pem
root@puppetmaster:~# puppet resource service puppetserver ensure=running
Notice: /Service[puppetserver]/ensure: ensure changed 'stopped' to 'running'
service { 'puppetserver':
  ensure   => 'running',
  provider => 'systemd',
}
root@puppetmaster:~# sudo /opt/puppetlabs/bin/puppetserver ca list --all
Signed Certificates:
    puppetmaster.       (SHA256)  0B:E3:DC:2D:52:27:D9:D9:A1:18:9D:AB:74:07:50:86:E5:7C:32:5C:6F:A1:23:75:3D:4C:C3:90:7D:4D:08:BF   alt names: ["DNS:puppet", "DNS:puppetmaster."]  authorization extensions: [pp_cli_auth: true]
    puppetmaster        (SHA256)  06:EF:8C:3C:6D:83:CA:7A:C9:A4:39:02:DA:7B:F5:E6:D4:3C:27:B3:80:82:EB:4D:C0:92:99:37:F3:D2:96:F2   alt names: ["DNS:puppetmaster"] authorization extensions: [pp_cli_auth: true]
root@puppetmaster:~# sudo /opt/puppetlabs/bin/puppetserver ca sign --all 
Error:
    No waiting certificate requests to sign

On the agent, I still get the same error

mark@puppetclient:~$ sudo systemctl status puppet 
[sudo] password for mark: 
● puppet.service - Puppet agent
     Loaded: loaded (/lib/systemd/system/puppet.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-01-16 16:53:07 UTC; 1min 6s ago
       Docs: man:puppet-agent(8)
   Main PID: 654 (puppet)
      Tasks: 1 (limit: 2237)
     Memory: 83.4M
        CPU: 1.485s
     CGroup: /system.slice/puppet.service
             └─654 /opt/puppetlabs/puppet/bin/ruby /opt/puppetlabs/puppet/bin/puppet agent --no-daemonize

Jan 16 16:53:07 puppetclient systemd[1]: Started Puppet agent.
Jan 16 16:53:13 puppetclient puppet-agent[654]: Starting Puppet client version 7.21.0
Jan 16 16:53:13 puppetclient puppet-agent[654]: Server hostname 'puppetmaster' did not match server certificate; expected one of puppetmaster., DNS:puppet, DNS:puppetmaster.

Answer 1

I'm not sure how you ended up at the point you did, but I agree that the trailing period in the server's certname looks like the source of the issue. You probably need to regenerate the server's agent cert. (The agent cert is used to authenticate machines to each other, both client and server). The linked docs provide more detail, but the basic steps are:

1. Revoke and remove the current server certificate

   puppetserver ca clean --certname puppetmaster.
   

2. Remove the agent-side copy of the cert and its associated metadata

   puppet ssl clean
   

3. Stop the puppetserver service. You may use the appropriate service-management tool directly (systemctl for Ubuntu 20) but Puppet recommends using puppet resource:

   puppet resource service puppetserver ensure=stopped
   

4. Generate a new, signed certificate for the server:

   puppetserver ca generate --certname <new-certname> [--subject-alt-names <comma-delimited-DNS-names>] --ca-client
   

   When you do this, make sure that either the specified --certname or one of the specified --subject-alt-names, if any, exactly matches the name your clients will use to connect to the server. Note also that if you specify a certname explicitly in the server's puppet.conf then it, too, will need to match the certname specified here.

Although it's not technically part of regenerating the cert, presumably you will afterward want to

5. Restart the puppetserver service. For example, via

   puppet resource service puppetserver ensure=running