Puppet users - Dec 2012 - cannot check in new clients to master certificate revoked

I have migrated to a load balanced setup for puppet masters.  Afterwards, I 
was able to check new clients in but that has suddenly stopped working.

puppet 2.7.14

new setup:
puppetca, acts as a master to puppetmaster servers
n number of puppetmasters, acts as a puppetmaster to clients

During the initial setup I copied the original puppetmaster''s ssl
directory
to the new ca


When checking in I receive the following error:

root@nova-api-b01-r2961:~# puppet agent --test --server 
puppetmaster.somedomain.com --ca_server puppetca.somedomain.com 
--pluginsync true --waitforcert 20
info: Creating a new SSL key for api.somedomain.com
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
info: Creating a new SSL certificate request for api.somedomain.com
info: Certificate Request fingerprint (md5): 
43:BE:38:4E:46:E7:2B:89:EB:A9:65:15:90:2C:63:CE
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for api.somedomain.com
info: Retrieving plugin
info: Caching certificate_revocation_list for ca
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
using ''eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read 
server certificate B: certificate verify failed.  This is often because the 
time is out of sync on the server or client
err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 
errno=0 state=SSLv3 read server certificate B: certificate verify failed. 
 This is often because the time is out of sync on the server or client 
Could not retrieve file metadata for 
puppet://puppetmaster.somedomain.com/plugins: SSL_connect returned=1 
errno=0 state=SSLv3 read server certificate B: certificate verify failed. 
 This is often because the time is out of sync on the server or client
No LSB modules are available.
err: Could not retrieve catalog from remote server: SSL_connect returned=1 
errno=0 state=SSLv3 read server certificate B: certificate verify failed. 
 This is often because the time is out of sync on the server or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read 
server certificate B: certificate verify failed.  This is often because the 
time is out of sync on the server or client

I have tried multiple times to clean cert on ca and remove ssl dir on the 
new client with same outcome.

Running tshark I get http://pastie.org/5553830 I think the relevant message 
here is:
0.676760 10.23.245.109 -> 10.23.244.194 TLSv1 Alert (Level: Fatal, 
Description: Certificate Revoked)

I think that I am being hit by either 
http://projects.puppetlabs.com/issues/8125 or 
http://projects.puppetlabs.com/issues/4948 or a combination of the two.  I 
tried the workaround in http://projects.puppetlabs.com/issues/8125 but 
receive the same error.

I am really trying to avoid resigning everything as I have a great many 
servers.

Any ideas?

Chris


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/x0EbqqpwVoUJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.