Without running ntpdate before registering with the puppet master, sometimes, the agent can't retrieve a catalog with an error that says the certificate is not yet valid.
ntpdate should run before the puppet or puppet-pe brokers communicate with the master if the ntpdate_server config is supplied.
To make this as generic as possible, both brokers should include a new, optional ntpdate_server config that defaults to not running ntpdate. We assume that many users will already have ntpdate configured on their network.
- Update the puppet and puppet-pe brokers to synchronize the time before installing the agent.
- Add a ntpdate_server config with the above default to the configuration.yaml of each broker.