Master public key fingerprint mismatch in EC2 Keypair and "geofront-cli masterkey" command

[achimnol]

According to my server log, masterkey renewal was done successfully.
However, I cannot access new instances created with the master public key stored in EC2 KeyPair after renewal.
The interesting thing is that the fingerprint value in AWS Console's KeyPair list and the result of geofront-cli masterkey is not same while I can still access existing instances created before the key renewal.
Even more interestingly, the manually re-imported keypair in the AWS console from the output of geofront-cli masterkey -v shows the same fingerprint that was shown in the AWS console before.

I hope this is a just configuration miss in my side, but just reporting upfront.

[achimnol]

Okay, I found that authentication failure happens with new EC2 instances from a custom AMI (created before masterkey renewal) only. This means that the key renewal process has gone flawlessly though the displayed fingerprints differ (we need to fix this!).

On my side, I need to figure out what actions should be done when using custom AMIs across masterkey renewals.

[achimnol]

After some experiments, I found that giving cloud-config to change default username (specific to my environment) in the instance launch wizard fixes the authentication problem.
It will be nice if we have explicit documentation about this situation.

Then let's figure out why fingerprints look different.

[achimnol]

And here is the reason for different views of the same public key: https://serverfault.com/questions/603982/why-does-my-openssh-key-fingerprint-not-match-the-aws-ec2-console-keypair-finger