These are not new nodes but not old either, only a few months. The date/time is correct. The DNS is correct. I have not manually set certificate lifetimes to be shorter than the default. However sometimes these nodes might not check in for a few days.
This was recently a big problem as the cert for the puppetdb server was revoked. How can I get more information about the revocation? On Monday, March 17, 2014 2:37:00 PM UTC-7, jcbollinger wrote: > > > > On Monday, March 17, 2014 1:26:03 PM UTC-5, [email protected] wrote: >> >> Hi, >> I've been having issues with certificates being revoked without any human >> intervention or oversight; one day a node will try to do an update and it >> can't because its certificate is revoked. >> >> There is definitely no one issuing 'puppet cert clean nodename' on the >> commandline. >> >> puppet --version >> 3.4.3 >> >> any ideas? Is there some automated process that 'cleans' and revokes >> nodes that are 'too old'? >> >> I'd like to have control over this and have absolutely no automated >> system revoking certificates at all. >> >> > > Puppet does not auto-revoke client certificates, but certificates do have > a fixed lifetime, set when they are generated. I don't recall Puppet's > default, but lifetimes are usually at least several years. If your > lifetimes are abnormally short, or if some of your agents have been in > operation a long time, though, then that may be what's happening. You > cannot disable this aspect of cryptographic certificates, but you can > choose very long lifetimes. > > > John > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5ba8abc4-d8b8-4a27-8710-918be870c4c6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
