If the system time and date on an agent node don’t match the system time and date on the primary server or if you run an agent in noop mode, you get an expired certification revocation list (CRL) error message on the agent node in Puppet Enterprise.
Error messages
Error: Could not run: The CRL issued by 'CN=Puppet CA generated on <primary-server> at 2016-02-09 05:04:18 +0000' has expired, verify time is synchronized
Could not send report: certificate verify failed [CRL has expired for CN=<primary-server>]
These error messages appear on the agent node in PE.
Version and installation information
PE version: All supported
Solution
Check that the time and date on the agent node with the error message match the time and date on the primary server. Then follow these steps to download a new copy of the CRL to the agent node in PE.
-
Stop the Puppet agent service from running.
puppet resource service puppet ensure=stopped -
Move the CRL and create a backup on the agent node.
mv/etc/puppetlabs/puppet/ssl/crl.pem/etc/puppetlabs/puppet/ssl/crl.pem.bk -
Download the CRL from the primary node by running Puppet on the agent node.
puppet agent -t -
Start the Puppet agent service to run on the agent node.
puppet resource service puppet ensure=running
How can we improve this article?
0 comments
Please sign in to leave a comment.
Related articles