Aparentemente, o problema estava no fato de que o Apache ainda estava em execução (e, portanto, ter um mestre de marionetes gerado via Passenger).
MASTER /etc/apache2/sites-enabled # /etc/init.d/apache2 stop
[ ok ] Stopping web server: apache2 ... waiting .
MASTER /etc/apache2/sites-enabled # puppet cert clean --all
Notice: Revoked certificate with serial 2
Notice: Removing file Puppet::SSL::Certificate puppet.x at '/var/lib/puppet/ssl/ca/signed/puppet.x.pem'
Notice: Removing file Puppet::SSL::Certificate puppet.x at '/var/lib/puppet/ssl/certs/puppet.x.pem'
Notice: Removing file Puppet::SSL::Key puppet.x at '/var/lib/puppet/ssl/private_keys/puppet.x.pem'
MASTER /etc/apache2/sites-enabled # puppet master --no-daemonize --verbose
Info: Creating a new SSL key for puppet.x
Info: Creating a new SSL certificate request for puppet.x
Info: Certificate Request fingerprint (SHA256): DB:8C:2D:71:54:C4:B7:03:79:38:E2:26:94:51:12:89:6F:E0:24:AC:F2:16:C0:5A:7A:B6:7D:4F:DD:6C:98:0D
Notice: puppet.x has a waiting certificate request
Notice: Signed certificate request for puppet.x
Notice: Removing file Puppet::SSL::CertificateRequest puppet.x at '/var/lib/puppet/ssl/ca/requests/puppet.x.pem'
Notice: Removing file Puppet::SSL::CertificateRequest puppet.x at '/var/lib/puppet/ssl/certificate_requests/puppet.x.pem'
Notice: Starting Puppet master version 3.1.1
^CNotice: Caught INT; calling stop
MASTER /etc/apache2/sites-enabled # /etc/init.d/apache2 restart
[ ok ] Restarting web server: apache2.
MASTER /etc/apache2/sites-enabled # puppet cert sign --all
Notice: Signed certificate request for efikamx-561a37.x
Notice: Removing file Puppet::SSL::CertificateRequest efikamx-561a37.x at '/var/lib/puppet/ssl/ca/requests/efikamx-561a37.x.pem'
E agora posso gerar e assinar corretamente as chaves no cliente:
CLIENT ~ # rm -rf /var/lib/puppet/ssl/*
CLIENT ~ # puppet agent -t
info: Creating a new SSL key for efikamx-9ba3ab.x.com
info: Caching certificate for ca
info: Creating a new SSL certificate request for efikamx-9ba3ab.x.com
info: Certificate Request fingerprint (md5): 8C:9E:6E:95:B8:70:B9:A2:98:CB:A5:87:BC:66:33:A4
Exiting; no certificate found and waitforcert is disabled
CLIENT ~ # puppet agent --no-daemonize --onetime --verbose --waitforcert 60
info: Caching certificate for efikamx-9ba3ab.x.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for efikamx-9ba3ab.x.com
info: Applying configuration version '1373327419'
notice: /Stage[essential]/Efikamx-repository/File[/etc/apt/sources.list.d/multistrap-stable.list]/content: content changed '{md5}fbba0743add1cb9e54f7484b2c7a1f59' to '{md5}5941829a1b3a18b02f5bd6367e36e635'
[...]