On Monday, March 17, 2014 1:26:03 PM UTC-5, [email protected] wrote: > > Hi, > I've been having issues with certificates being revoked without any human > intervention or oversight; one day a node will try to do an update and it > can't because its certificate is revoked. > > There is definitely no one issuing 'puppet cert clean nodename' on the > commandline. > > puppet --version > 3.4.3 > > any ideas? Is there some automated process that 'cleans' and revokes nodes > that are 'too old'? > > I'd like to have control over this and have absolutely no automated system > revoking certificates at all. > >
Puppet does not auto-revoke client certificates, but certificates do have a fixed lifetime, set when they are generated. I don't recall Puppet's default, but lifetimes are usually at least several years. If your lifetimes are abnormally short, or if some of your agents have been in operation a long time, though, then that may be what's happening. You cannot disable this aspect of cryptographic certificates, but you can choose very long lifetimes. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2c560165-7b61-4aac-aa09-839ca9dd895c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
