On Wednesday, October 12, 2016 at 4:55:09 AM UTC-4, Fredrik Nilsson wrote:
> Thanks for your reply Andrew, sadly I guess that wont be an option as the
> pain of resigning the actual certificate for erroneous hosts are less the
> re-signing every certificate for all existing hosts. After all we are in
> the process of upgrading to Puppet 4 so hopefully one of the side effects
> of that upgrade is that this error goes away as a part of the process.
> Thanks though, one should always train ones cut'n'paste skills ;-).
If you have an mcollective environment, you could turn on auto-sign, use
mcollective to whack the local ca/host certs, and then use mcollective to
trigger a puppet run (which would auto-request a new certificate).
Since my puppet environment is now 5 years old, I'm experiencing a rolling
expiration of puppet agent certs, and I wrote a script that lives on the
puppet master that checks for impending expirations, and if it finds them,
puppet cert clean <hostname>
mco puppet resource exec "rm -rf /var/lib/puppet/ssl/*" -W fqdn=<hostname>
mco puppet runonce -W fqdn=<hostname>
puppet cert sign <hostname>
... there's a bit of a tricky timing issue that (usually) doesn't matter,
since we configure mcollective to actually use the puppet agent's
If you're doing this on Windows, the equivalent powershell-fu shouldn't be
too tough. You'd probably want to stop the puppet service on the agent,
nuke the certs/keys, and then invoke a single synchronous run of puppet to
request the new certificate.
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.