Ran into the same issue.
Our puppet setup is version controlled using GitHub, so every time we provision a new puppetmaster, we run into cert issues. Normally puppet ca --clean --all works, but we have found the following more reliable:
rm -rf $(puppet master --configprint ssldir)