Ask Your Question

Got the following error "certificate is not yet valid for /CN=Puppet CA: " when doing a puppet run after registering a client with the puppet master.

asked 2015-01-08 07:45:28 -0600

kizurazgubai gravatar image

Hi everyone

I have a puppet client node whose date/time is persistently set in the past for stress test purposes. Unfortunately this time precedes the "NOT BEFORE" time validity parameter of the CA certificate which is used to sign the client certificate. I can not move the date forward on the client node, and I have hundreds of other clients using the puppet master, so I cannot regenerate the CA certificate with new start and end dates. Is there a way to sign the client CSR such that the client will not fail to do a puppet run because the dates of the CA cert of the puppet master fall after the current set date of the puppet client?


edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2015-02-09 01:20:27 -0600

joshc gravatar image

The puppet agent will reject the CA's cert if its not_before time is more than 5 minutes in the future (relative to the agent's time). See . This is not currently configurable, but you could edit the code on the agent to allow for greater clock skew.

edit flag offensive delete link more

answered 2015-01-08 19:27:08 -0600

GregLarkin gravatar image

I didn't realize that's what you were trying to do when I answered your previous question. As far as I know, the only way to do what you want is regenerate the CA certificate with the dates you want (cf. and then regenerate all of the client certificates, following this process:

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2015-01-08 07:45:28 -0600

Seen: 3,286 times

Last updated: Feb 09 '15