On Tuesday, March 18, 2014 10:25:02 AM UTC-5, [email protected] wrote: > > These are not new nodes but not old either, only a few months. The > date/time is correct. The DNS is correct. I have not manually set > certificate lifetimes to be shorter than the default. However sometimes > these nodes might not check in for a few days. > > This was recently a big problem as the cert for the puppetdb server was > revoked. > > How can I get more information about the revocation? > >
You could start by giving *us* more information. Specifically, the actual messages that lead you to conclude that certificates have been revoked. You could also look at the Puppet CA's data files in /var/lib/puppet/ssl/ca, or something like that. The inventory of current certificates and the CRL should both be there. Is there any chance that your nodes' timekeeping is inconsistent? That can happen with VMs, for instance. If your nodes do not agree fairly closely with the master with respect to the current date and time of day then that can prevent successful SSL handshaking. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/40e1eea2-50c5-435a-adcd-b6d6b3ce1912%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
