I've noticed that if a Puppet agent happens to contact the master after the "next update" time listed in the CRL
openssl crl -in `puppet master --configprint hostcrl` -noout -nextupdate that the master has most recently read on startup, then it will fail with the message: Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL has expired for /O=*redacted*/CN=*redacted*] I'm using FreeIPA as a certificate authority, and it uses that field to communicate to users when the next update will be ready. It seems to like to update it a few times a day. The trouble is, there is always going to be a moment *after* the update is ready but *before* a script has had a chance to update the CRL and restart the Puppetmaster. During this time, Puppet agent runs will fail. Is there any way to tell Puppet that slightly out-of-date CRLs are okay? Otherwise, I think the next step is to try disabling checks to the CRL, but I like the fact that Puppet checks it by default. - Josh Bronson -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/ec8b1227-6435-487a-af9a-ef1e5bb87199%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
