Did you ever get to the bottom of this? I'm seeing a similar issue. We have a janky dual master setup where one master rsyncs /var/lib/puppet (and uses the same certificate) from the other master and the other master runs haproxy and sends 60% of requests to the other one. We are seeing some non-expired certs randomly appear revoked. "puppet cert list -all" shows the cert as revoked. But the serial number for the supposedly revoked cert is not in /var/lib/puppet/ssl/ca/ca_crl.pem nor in /var/lib/puppet/crl.pem. Seem like this just started happening a couple of weeks ago. I know this thread is over 3 years old but not really finding much on this. This is with puppet version 3.4.3.
On Monday, March 17, 2014 at 11:26:03 AM UTC-7, Steve Wray wrote: > > Hi, > I've been having issues with certificates being revoked without any human > intervention or oversight; one day a node will try to do an update and it > can't because its certificate is revoked. > > There is definitely no one issuing 'puppet cert clean nodename' on the > commandline. > > puppet --version > 3.4.3 > > any ideas? Is there some automated process that 'cleans' and revokes nodes > that are 'too old'? > > I'd like to have control over this and have absolutely no automated system > revoking certificates at all. > > Thanks. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/993662f3-461f-45d3-902b-f64a143d2e6b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
