Node certificates have invalid dates

The date and time must be in sync when certificates are created.

If certificates were signed out of sync, you get invalid dates (such as certificates with future dates) when you run:

openssl x509 -text -noout -in $(puppet config print --section master ssldir)/certs/<NODE_NAME>.pem

1. On the primary server, delete certificates with invalid dates by running:

   puppetserver ca clean --certname <NODE_CERT_NAME>

2. On the nodes with invalid certificates, delete the SSL directory by running:

   rm -r $(puppet config print --section master ssldir)

3. On each impacted agent node, run puppet agent --test to generate a new certificate request.
4. On the primary server, run puppetserver ca sign <NODE_NAME> to sign each request.