I don't have one of the actual messages handy right now but when it occurs I run 'puppet agent --test' and instead of doing its work it presents an error message which explains that the certificate (of the node I ran puppet on) has been revoked. This is what led me to believe that the problem was with certificate revocation.
I guess its possible that timekeeping could be an issue. However this has happened with a new puppetmaster server and a puppetdb server running on the same VMWare ESXi host. It seems a bit unlikely that the clocks would be significantly skewed. Just how much does the clock have to vary before the master decides the certificate is revoked? Also, when this problem has happened I have checked time on both master and node and they appeared to agree very closely (to my eye). But would this present itself as a "certificate revoked" error message? On Wednesday, March 19, 2014 6:58:25 AM UTC-7, jcbollinger wrote: > > > > On Tuesday, March 18, 2014 10:25:02 AM UTC-5, st...@wtfast.com wrote: >> >> These are not new nodes but not old either, only a few months. The >> date/time is correct. The DNS is correct. I have not manually set >> certificate lifetimes to be shorter than the default. However sometimes >> these nodes might not check in for a few days. >> >> This was recently a big problem as the cert for the puppetdb server was >> revoked. >> >> How can I get more information about the revocation? >> >> > > You could start by giving *us* more information. Specifically, the > actual messages that lead you to conclude that certificates have been > revoked. > > You could also look at the Puppet CA's data files in > /var/lib/puppet/ssl/ca, or something like that. The inventory of current > certificates and the CRL should both be there. > > > Is there any chance that your nodes' timekeeping is inconsistent? That > can happen with VMs, for instance. If your nodes do not agree fairly > closely with the master with respect to the current date and time of day > then that can prevent successful SSL handshaking. > > > John > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3036614e-949b-439d-927b-c735d6b710cf%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
