On Feb 14, 2011, at 8:43 AM, Felix Frank wrote: > Hi, > > from afar, it's hard to tell what your specific problem is. > > Has your puppetmaster generated a new CSR for the machine? Maybe you > have to sign the new certificate; the master still stores a valid, > signed certificate for the machine, but the client has no use for it. > You need to convince your master to sign a new certificate (for which > the client actually has the private key). > > From the helptext: > clean: Remove all files related to a host from puppet cert's > storage. This is useful when rebuilding hosts, since new > certificate signing requests will only be honored if puppet > cert does not have a copy of a signed certificate for that > host. The certificate of the host remains valid. If '--all' > is specified then all host certificates, both signed and > unsigned, will be removed. > > Be mindful of the fact that the signed certificate remains valid (until > replaced?)
Actually, they remain valid almost forever (I think it's usually 10 years) unless revoked. Just replacing the certificate doesn't make the signature less valid. The only way for a certificate to stop working, if you don't change the root certificate, is to revoke it and have certificate revocation lists working. In 2.6.x I think certificates are revoked when cleaned, but I'm not sure. I know 0.25.x doesn't. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
