On Wednesday, October 12, 2016 at 4:55:09 AM UTC-4, Fredrik Nilsson wrote: > > Thanks for your reply Andrew, sadly I guess that wont be an option as the > pain of resigning the actual certificate for erroneous hosts are less the > re-signing every certificate for all existing hosts. After all we are in > the process of upgrading to Puppet 4 so hopefully one of the side effects > of that upgrade is that this error goes away as a part of the process. > Thanks though, one should always train ones cut'n'paste skills ;-). >
If you have an mcollective environment, you could turn on auto-sign, use mcollective to whack the local ca/host certs, and then use mcollective to trigger a puppet run (which would auto-request a new certificate). Since my puppet environment is now 5 years old, I'm experiencing a rolling expiration of puppet agent certs, and I wrote a script that lives on the puppet master that checks for impending expirations, and if it finds them, it runs: puppet cert clean <hostname> mco puppet resource exec "rm -rf /var/lib/puppet/ssl/*" -W fqdn=<hostname> mco puppet runonce -W fqdn=<hostname> puppet cert sign <hostname> ... there's a bit of a tricky timing issue that (usually) doesn't matter, since we configure mcollective to actually use the puppet agent's certificate/key pair. If you're doing this on Windows, the equivalent powershell-fu shouldn't be too tough. You'd probably want to stop the puppet service on the agent, nuke the certs/keys, and then invoke a single synchronous run of puppet to request the new certificate. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e24b013b-dd7f-4790-90e1-a090d47ecaaa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
