Re: [foreman-users] Re: [Katello] e-mail notifications does not work

[Edgars M.]

Thanks!

Edgars

ceturtdiena, 2016. gada 25. augusts 20:40:46 UTC+2, jsherril rakstīja:
>
> On 08/24/2016 03:01 AM, Edgars M. wrote:
>
> Hi 
>
> Yes, I did
>
>
> 
>
>
> Apologies, i believe this is a bug:  
> http://projects.theforeman.org/issues/16303
>
> I will take a look at fixing it.
>
> -Justin
>
>
> Edgars
>
> otrdiena, 2016. gada 23. augusts 16:52:29 UTC+2, jsherril rakstīja: 
>>
>> On 08/23/2016 06:40 AM, Edgars M. wrote:
>>
>> Hi 
>>
>> Any idea why e-mails does not work in Katello 3.0.2?
>>
>> trešdiena, 2016. gada 17. augusts 10:18:39 UTC+2, Edgars M. rakstīja: 
>>>
>>> Hi 
>>>
>>> I have subscribed my user to receive e-mails but I don't get any. Under 
>>> e-mail preferences Mail enabled is checked and when I do Test email I 
>>> receive test e-mail. 
>>>
>>
>> Did you 'opt in' for emails under your user's settings?
>>
>>
>>> Foreman test email This is a test message to confirm that Foreman's 
>>> email configuration is working. 
>>>
>>> However I don't receive any automatic e-mail after repo sync, etc. I 
>>> don't see any log files entries regarding e-mails. Nothing. In Dynflow 
>>> console, under ErrataMail I can see:
>>>
>>> *Started at:* 2016-08-16 23:02:26 UTC
>>>
>>> *Ended at:* 2016-08-16 23:02:26 UTC
>>>
>>> *Real time:* 0.04s
>>>
>>> *Execution time (excluding suspended state):* 0.04s
>>>
>>> *Input:*
>>>
>>> ---
>>> repo: 2407
>>> last_updated: '2016-08-17 01:01:54 +0200'
>>> contents_changed: true
>>>
>>> *Output:*
>>>
>>> --- {}
>>>
>>>
>>> Not sure what does it mean, but no e-mails are sent.
>>>
>>> This is content of /etc/foreman/email.yaml
>>>
>>> # Outgoing email settings
>>>
>>>
>>> production:
>>>   delivery_method: :smtp
>>>   smtp_settings:
>>> address: mailgw.local.org
>>> port: 25
>>> domain: local.org
>>> authentication: :none
>>>
>>>
>>> Any ideas?
>>>
>>> Katello version 3.0.2
>>> CentOS 7
>>>
>>>
>>> Edgars
>>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Foreman users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to foreman-user...@googlegroups.com.
>> To post to this group, send email to forema...@googlegroups.com.
>> Visit this group at https://groups.google.com/group/foreman-users.
>> For more options, visit https://groups.google.com/d/optout.
>>
>>
>> -- 
> You received this message because you are subscribed to the Google Groups 
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to foreman-user...@googlegroups.com .
> To post to this group, send email to forema...@googlegroups.com 
> .
> Visit this group at https://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

[foreman-users] Katello sync plans custom interval

['Denis Müller' via Foreman users]

Hello Guys,

does anybody know if there a  way to customize the sync interval for 
products like every 15 mins?

Greets,
Denis

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

[foreman-users] Re: Katello sync plans custom interval

[Edgars M.]

hammer + crontab?

Edgars

piektdiena, 2016. gada 26. augusts 09:39:23 UTC+2, Denis Müller rakstīja:
>
> Hello Guys,
>
> does anybody know if there a  way to customize the sync interval for 
> products like every 15 mins?
>
> Greets,
> Denis
>

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Adding subnet details to Interface hash sent via orchestration 'create' event

[Marek Hulán]

Hello

Sorry I'm not aware of that change. Since this sounds like something useful 
for everybody and you already got a patch, could you please create a redmine 
issue and send a pull request so we incorporate it? You can find information 
about the process at [1]. One potential benefit for you - you wouldn't lose the 
custom patch after next Foreman upgrade :-)

[1] https://theforeman.org/contribute.html#SubmitPatches

--
Marek

On Tuesday 16 of August 2016 17:20:09 Francois Herbert wrote:
> OK, Just in case anyone else needs to know, I figured this out, in the same
> file (app/views/api-v2/hosts/show.json.rabl) I needed to apply the
> following patch:
> 
> 14c14
> 
> <   extends "api/v2/interfaces/main"
> 
> ---
> 
> >   extends "api/v2/interfaces/base"
> 
> This makes the following change:
> 
> 
> child :interfaces => :interfaces do
> 
>   extends "api/v2/interfaces/main"
> 
> end
> 
> On Thursday, August 11, 2016 at 11:27:52 AM UTC+12, Francois Herbert wrote:
> > Has this behaviour changed in version 1.11.4?
> > 
> > 
> > in app/views/api/v2/hosts.show.json.rabl I have:
> > 
> > 
> > extends "api/v2/interfaces/main”
> > 
> > 
> > but I don’t get the subnet_name or subnet_id passed to the hook on the
> > create event. I've checked main.json.rabl and it is adding the subnet_id
> > and subnet_name attributes.
> > 
> > 
> > What I do get is:
> > 
> > 
> > "interfaces":[{"id":null,"name":"test52.domain.com
> > ","ip":null,"mac":"00:50:56:9a:43:f7","identifier":"","primary":true,"prov
> > ision":true,"type":"interface"}]
> > 
> > 
> > Thanks
> > 
> > Francois
> > 
> > On Tuesday, March 22, 2016 at 9:15:28 PM UTC+13, Dominic Cleal wrote:
> >> On 21/03/16 20:57, Francois Herbert wrote:
> >> > I'm using foreman hooks to update an external IPAM system. The
> >> 
> >> interface
> >> 
> >> > hash that is sent does not include the subnet name or id that the
> >> > interface has been designated in foreman.
> >> > There is subnet information sent through in the host hash but only one
> >> > subnet per host is sent - not useful is there are multiple network
> >> > interfaces on different subnets.
> >> > 
> >> > I've tired making an API call in the create hook but the data isn't
> >> > committed to the database at this stage so can't retrieve the subnet
> >> > information for each network interface.
> >> > 
> >> > This is what currently gets sent through with the create hook for the
> >> 
> >> > interface hash:
> >> interfaces":[{"id":null,"name":"interface1name","ip":null,"mac":"00:11:22
> >> :33:44:55","identifier":"","primary":true,"provision":true,"type":"interf
> >> ace"},{"id":null,"name":"interface2name","ip":null,"mac":"00:11:22:33:44:
> >> 56","identifier":"","primary":false,"provision":false,"type":"interface"}
> >> ]>> 
> >> > The ideal data that I need would look like:
> >> interfaces":[{"id":null,"name":"interface1name","ip":null,"mac":"00:11:22
> >> :33:44:55","identifier":"","primary":true,"provision":true,"type":"interf
> >> ace","subnet_id":2,"subnet_name":"Frontend","sp_subnet_id":null},{"id":nu
> >> ll,"name":"interface2name","ip":null,"mac":"00:11:22:33:44:56","identifie
> >> r":"","primary":false,"provision":false,"type":"interface","subnet_id":3,
> >> "subnet_name":"Backend","sp_subnet_id":null}]>> 
> >> > Has anyone got any idea what code I need to modify (or if it's
> >> 
> >> possible)
> >> 
> >> > to add the subnet name and subnet id through with the create hook event
> >> > data in the interfaces hash?
> >> 
> >> It's from the API responses defined in
> >> app/views/api/v2/hosts/show.json.rabl, which uses the "base" interface
> >> view rather than the "main" one which usually includes the subnet ID.

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

[foreman-users] Does anyone let non-admin users manage roles?

[Marek Hulán]

Hello

after some work that has been done on Roles and Organization/Locations 
recently we realized that we tend to support very complicated feature. We 
allow delegate role editing permissions to non-admin users. When Organizations 
and Locations are also enabled, users and filters can be scoped to them too. 
With Foreman 1.13, this will be available for Roles as well.

Let's assume we have user scoped to Org A and B and he can edit roles. From 
his point of view when editing role Manager, he updates only permissions for 
these two orgs but since the role is global it could affect other orgs too. We 
could add some check that the user can only edit roles that are associated to 
same or less orgs as is his account.

But there's another problem - no organization set actually means "any 
organization". So if user removes all org associations he or she would make it 
global so affecting all users. Again we could add some extra check for this 
case.

There's also a permission for what organizations and locations user can assign 
which is automatically checked after each save so user should also have this 
permission for all organization he's assigned to.

Another challenge is how to tell users that they can't edit this role because 
of reasons described above? We'd have to say "you can't edit this role because 
it's being used also elsewhere but we can't tell you where".

Well if you understood all I've written so far maybe it's just my feeling, but 
I find all of this unnecessarily complicated. I saw other apps that only 
allowed roles modification to super admin users. Other users could still assign 
user accounts with existing roles but they couldn't modify the scope of these 
roles.

Therefore my question, would simplification like this be considered problem for 
any Foreman user? Or can we let only admins edit roles and filters?

Thanks for any feedback

--
Marek

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

[foreman-users] Outstanding errat report

[Craig Elston]

Can anyone point me in the right direction? 

I am looking to query outstanding errata per host/content host/system 
directly from the foreman database. I have a requirement to have weekly 
reports sent to a team of engineers.

I have been able to find most of the fields that I need, but the errata per 
server is eluding me.

Any help would be appreciated.

Craig Elston

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

[foreman-users] Re: Outstanding errat report

[Duncan Innes]

You using the API for this or querying the database?  Querying the database 
is the way to insanity . . .

I did this for Satellite 5.x, but haven't looked at it for 
Katello/Satellite6 yet.  Not sure if all the queries are in place yet. 
 There was a ticket raised for querying the outstanding packages on a host 
based on the Errata that are in Library rather than the hosts own 
environment.  This would allow you to see outstanding Errata as they come 
into Katello/Satellite before they're promoted through your environments. 
 Have now been asked to look into this for work on our Satellite 6.2 
install, so will share what I can.

On Friday, 26 August 2016 14:22:01 UTC+1, Craig Elston wrote:
>
> Can anyone point me in the right direction? 
>
> I am looking to query outstanding errata per host/content host/system 
> directly from the foreman database. I have a requirement to have weekly 
> reports sent to a team of engineers.
>
> I have been able to find most of the fields that I need, but the errata 
> per server is eluding me.
>
> Any help would be appreciated.
>
> Craig Elston
>

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Does anyone let non-admin users manage roles?

[Tom McKay]

Long ago I tried to implement "A user should not be able to create a role
that exceeds their own permissions."[1][2] I didn't really dig into the
code enough to get it right, though.

If we ever hope to go to any sort of multi-tenancy, I think it is important
to allow non "checkbox admins" to administer their own orgs. By "checkbox
admin" I mean the superuser can do everything admins we have now with the
checkbox on the user page. This flag bypasses all RBAC when checking auth.

What I thought would work is a model where a user could never create a
permission that exceeded their own. In this way, a checkbox admin could
create an org admin. The org admin would have all available permissions but
scoped to just a specific org, including roles. This org admin could then
themselves permissions to other users but those permissions could never
exceed the scope of the org.

If I recall correctly, I implemented this by giving users two permissions,
one from the user that created the other user and then the other the normal
set assigned directly. Whenever RBAC was checked, the test would run
through both.

The parent user permissions could be displayed easily on the user in a
separate read only or locked list.

If the parent user gained new permissions (eg. they were added to org B in
addition to the original org A), then they could grant the new permissions
to their users.

In summary, I am not at all a fan of the checkbox admin as the sole power
user model. I believe the checkbox admin should be rare and the more common
admin should be a user with all or a subset of permissions. Having worked
with various RBAC implementations over the years and knowing the difficulty
in getting them right, I really like the one implemented in foreman and
believe it's very close to being completely suitable for multi tenancy use.


[1] http://projects.theforeman.org/issues/8673
[2] https://github.com/theforeman/foreman/pull/2011

On Fri, Aug 26, 2016 at 9:10 AM, Marek Hulán  wrote:

> Hello
>
> after some work that has been done on Roles and Organization/Locations
> recently we realized that we tend to support very complicated feature. We
> allow delegate role editing permissions to non-admin users. When
> Organizations
> and Locations are also enabled, users and filters can be scoped to them
> too.
> With Foreman 1.13, this will be available for Roles as well.
>
> Let's assume we have user scoped to Org A and B and he can edit roles. From
> his point of view when editing role Manager, he updates only permissions
> for
> these two orgs but since the role is global it could affect other orgs
> too. We
> could add some check that the user can only edit roles that are associated
> to
> same or less orgs as is his account.
>
> But there's another problem - no organization set actually means "any
> organization". So if user removes all org associations he or she would
> make it
> global so affecting all users. Again we could add some extra check for this
> case.
>
> There's also a permission for what organizations and locations user can
> assign
> which is automatically checked after each save so user should also have
> this
> permission for all organization he's assigned to.
>
> Another challenge is how to tell users that they can't edit this role
> because
> of reasons described above? We'd have to say "you can't edit this role
> because
> it's being used also elsewhere but we can't tell you where".
>
> Well if you understood all I've written so far maybe it's just my feeling,
> but
> I find all of this unnecessarily complicated. I saw other apps that only
> allowed roles modification to super admin users. Other users could still
> assign
> user accounts with existing roles but they couldn't modify the scope of
> these
> roles.
>
> Therefore my question, would simplification like this be considered
> problem for
> any Foreman user? Or can we let only admins edit roles and filters?
>
> Thanks for any feedback
>
> --
> Marek
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-users+unsubscr...@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at https://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

Re: [foreman-users] Re: Katello sync plans custom interval

[Walden Raines]

Unfortunately katello only supports hourly, daily, or weekly sync intervals 
natively.  This is a good RFE if you wanted to enter it into redmine.

Thanks,
Walden


- Original Message -
From: "Edgars M." 
To: "Foreman users" 
Sent: Friday, August 26, 2016 5:11:31 AM
Subject: [foreman-users] Re: Katello sync plans custom interval

hammer + crontab?

Edgars

piektdiena, 2016. gada 26. augusts 09:39:23 UTC+2, Denis Müller rakstīja:
>
> Hello Guys,
>
> does anybody know if there a  way to customize the sync interval for 
> products like every 15 mins?
>
> Greets,
> Denis
>

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

[foreman-users] Re: Next Foreman Community Demo - Thu 25 Aug

[Greg Sutcliffe]

If you missed it live, the recording is now available at
https://youtu.be/3t3LHUu4zXk

Some great stuff in this one - Ansible updates, Katello improvements, and
the work on UEFI boot support in Foreman's orchestration. Check it out!

Cheers
Greg

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

[foreman-users] Re: Next Foreman Community Demo - Thu 25 Aug

[Mike Wilson]

Thanks for doing these. As someone that just recently found Foreman I'm 
overwhelmed by the features and these help. 

On Friday, August 26, 2016 at 9:18:48 AM UTC-5, Greg Sutcliffe wrote:
>
> If you missed it live, the recording is now available at 
> https://youtu.be/3t3LHUu4zXk
>
> Some great stuff in this one - Ansible updates, Katello improvements, and 
> the work on UEFI boot support in Foreman's orchestration. Check it out!
>
> Cheers
> Greg
>

-- 
You received this message because you are subscribed to the Google Groups 
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to foreman-users+unsubscr...@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at https://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.

[foreman-users] Multimaster smart-proxy setup with inconsistent cert issue.

[Mike Wilson]

(sorry if I have a lot of configs, just wanted to make sure all the 
relevant bits were included)

tldr; The problem is some of the nodes will not communicate with one of the 
smart-proxy puppet masters (non-alpha ones) because of cert errors. 

This might be a puppet issue but I'm not entirely sure. First let me 
explain the setup. I have a Foreman server setup as the "alpha" puppet 
master. Then I have 2 other puppet masters that use the alpha as the 
ca_server and run smart-proxy-puppet. I've several "nodes". Some under 
alpha-master and some under each of the other proxy puppet masters.

* george-dev = alpha-puppet master (foreman and ca_server)
* construction-dev = puppet master smart-proxy
* grill-dev = puppet master smart-proxy
* h8-dev = node calling grill-dev as it's puppet master

For each puppet master smart-proxy I created certs on the alpha-master 
(george) and located them on the host before foreman-installer was run. 
Here are the files/names placed onto grill-dev.
/etc/puppetlabs/puppet/ssl/certs/ca.pem
/etc/puppetlabs/puppet/ssl/certs/grill-dev.ourdomain.com.pem
/etc/puppetlabs/puppet/ssl/private_keys/grill-dev.ourdomain.com.pem
/etc/puppetlabs/puppet/ssl/public_keys/grill-dev.ourdomain.com.pem
/etc/puppetlabs/puppet/ssl/certs/george-dev.ourdomain.com.pem
/etc/puppetlabs/puppet/ssl/private_keys/george-dev.ourdomain.com.pem
/etc/puppetlabs/puppet/ssl/public_keys/george-dev.ourdomain.com.pem


Here is a sample puppet.conf on one of the smart-proxy puppet masters 
(grill-dev)

## Module:   'puppet'

[main]
# Where Puppet's general dynamic and/or growing data is kept
vardir = /opt/puppetlabs/puppet/cache

# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppetlabs/puppet

# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppetlabs

# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = /etc/puppetlabs/puppet/ssl

# Allow services in the 'puppet' group to access key (Foreman + proxy)
privatekeydir = $ssldir/private_keys { group = service }
hostprivkey = $privatekeydir/$certname.pem { mode = 640 }

show_diff = false

## Server config

reports  = foreman

environmentpath  = /etc/puppetlabs/code/environments
  basemodulepath   = 
/etc/puppetlabs/code/environments/common:/etc/puppetlabs/code/modules:/opt/puppetlabs/puppet/modules

hiera_config = $confdir/hiera.yaml
### Next part of the file is managed by a different template ###
## Module:   'puppet'

[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuration.  Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$statedir/classes.txt'.
classfile = $statedir/classes.txt

# Where puppetd caches the local configuration.  An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig

# Disable the default schedules as they cause continual skipped
# resources to be displayed in Foreman - only for Puppet >= 3.4
default_schedules = false

report= true
pluginsync= true
masterport= 8140
environment   = production
certname  = grill-dev.ourdomain.com
server= george-dev.ourdomain.com
listen= false
splay = false
splaylimit= 1800
runinterval   = 1800
noop  = false
usecacheonfailure = true
### Next part of the file is managed by a different template ###
## Module:   'puppet'

[master]
autosign   = /etc/puppetlabs/puppet/autosign.conf { mode = 0664 }
external_nodes = /etc/puppetlabs/puppet/node.rb
node_terminus  = exec
ca = false
ssldir = /etc/puppetlabs/puppet/ssl
certname   = grill-dev.ourdomain.com
parser = current
strict_variables = false




The problem is some of the nodes will not communicate with one of the 
smart-proxy puppet masters (non-alpha ones) because of cert errors. Here is 
a example error.

[root@h8-dev puppet]# puppet agent --test
Warning: Unable to fetch my node definition, but the agent run will 
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate 
B: certificate verify failed: [certificate revoked for 
/CN=grill-dev.ourdomain.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional 
resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 
read server certificate B: certificate verify failed: [certificate revoked 
for /CN=grill-dev.ourdomain.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not 
retrieve file metadata for puppet://grill-dev.ourdom