I've noticed that if a Puppet agent happens to contact the master after the "next update" time listed in the CRL
openssl crl -in `puppet master --configprint hostcrl` -noout -nextupdate that the master has most recently read on startup, then it will fail with the message: Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL has expired for /O=*redacted*/CN=*redacted*] I'm using FreeIPA as a certificate authority, and it uses that field to communicate to users when the next update will be ready. It seems to like to update it a few times a day. The trouble is, there is always going to be a moment *after* the update is ready but *before* a script has had a chance to update the CRL and restart the Puppetmaster. During this time, Puppet agent runs will fail. Is there any way to tell Puppet that slightly out-of-date CRLs are okay? Otherwise, I think the next step is to try disabling checks to the CRL, but I like the fact that Puppet checks it by default. - Josh Bronson -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ec8b1227-6435-487a-af9a-ef1e5bb87199%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
