search for: ca_ttl

Is there a way to force the puppetmaster to resign certificates for existing certificates when a new CSR for the same hostname arrives? When we reinstall freshly formatted clients with puppet (with the same hostname) the puppet client complains: err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it

Hello, Have a fully working setup with mostly Linux clients running on a 2.7.x master all is good. Trying to join Solaris clients to this master yields:- info: Creating a new SSL key for <FQDN> warning: peer certificate won''t be verified in this SSL session info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session warning: peer

...storeconfigs = false authconfig = /etc/puppet/namespaceauth.conf autoflush = false autosign = /etc/puppet/autosign.conf bindaddress = "" bucketdir = /var/lib/puppet/bucket ca = true ca_days = "" ca_md = md5 ca_name = Puppet CA: vusion-production ca_port = 8140 ca_server = puppet ca_ttl = 5y cacert = /var/lib/puppet/ssl/ca/ca_crt.pem cacrl = /var/lib/puppet/ssl/ca/ca_crl.pem cadir = /var/lib/puppet/ssl/ca cakey = /var/lib/puppet/ssl/ca/ca_key.pem capass = /var/lib/puppet/ssl/ca/private/ca.pass caprivatedir = /var/lib/puppet/ssl/ca/private capub = /var/lib/puppet/ssl/ca/ca_pub.pem...

...39;'$cadir/ca_crl.pem'' debug: ca: Setting ca to ''true'' debug: ca: Setting serial to ''$cadir/serial'' debug: ca: Setting cakey to ''$cadir/ca_key.pem'' debug: ca: Setting capub to ''$cadir/ca_pub.pem'' debug: ca: Setting ca_ttl to ''5y'' debug: ca: Setting cacert to ''$cadir/ca_crt.pem'' debug: fileserver: Setting fileserverconfig to ''$confdir/fileserver.conf'' debug: filebucket: Setting clientbucketdir to ''$vardir/clientbucket'' debug: /puppetconfig/puppet...

...''. csrdir = /etc/puppet/ssl/ca/requests # Where the serial number for certificates is stored. # The default value is ''$cadir/serial''. serial = /etc/puppet/ssl/ca/serial # How long a certificate should be valid. # This parameter is deprecated, use ca_ttl instead # The default value is ''''. # ca_days = # The bit length of the certificates. # The default value is ''2048''. # req_bits = 2048 # The CA certificate. # The default value is ''$cadir/ca_crt.pem''. cacert = /e...