On Wednesday, October 12, 2016 at 4:55:09 AM UTC-4, Fredrik Nilsson wrote:
> Thanks for your reply Andrew, sadly I guess that wont be an option as the 
> pain of resigning the actual certificate for erroneous hosts are less the 
> re-signing every certificate for all existing hosts. After all we are in 
> the process of upgrading to Puppet 4 so hopefully one of the side effects 
> of that upgrade is that this error goes away as a part of the process. 
> Thanks though, one should always train ones cut'n'paste skills ;-).

If you have an mcollective environment, you could turn on auto-sign, use 
mcollective to whack the local ca/host certs, and then use mcollective to 
trigger a puppet run (which would auto-request a new certificate).

Since my puppet environment is now 5 years old, I'm experiencing a rolling 
expiration of puppet agent certs, and I wrote a script that lives on the 
puppet master that checks for impending expirations, and if it finds them, 
it runs:

puppet cert clean <hostname>
mco puppet resource exec "rm -rf /var/lib/puppet/ssl/*" -W fqdn=<hostname>
mco puppet runonce -W fqdn=<hostname>
puppet cert sign <hostname>

... there's a bit of a tricky timing issue that (usually) doesn't matter, 
since we configure mcollective to actually use the puppet agent's 
certificate/key pair.

If you're doing this on Windows, the equivalent powershell-fu shouldn't be 
too tough.  You'd probably want to stop the puppet service on the agent, 
nuke the certs/keys, and then invoke a single synchronous run of puppet to 
request the new certificate.

You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to