It might happen you see a node has gone out of sync and, issuing a puppet agent -t from inside the node you get errors:

root@cld-blu-13 ~ # puppet agent -t
Notice: Ignoring --listen on onetime run
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://cld-foreman.cloud.pd.infn.it/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://cld-foreman.cloud.pd.infn.it/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Info: Loading facts
Error: NetworkManager is not running.
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked

As the last error say the client certificate has been revoked on the server.

To solve the issue:

• delete the directory /var/lib/puppet/ssl
• issue another puppet agent -t You will see a new client certificate will be generated:

  root@cld-blu-13 ~ # puppet agent -t
  Info: Creating a new SSL key for cld-blu-13.cloud.pd.infn.it
  Info: Caching certificate for ca
  Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
  Info: Creating a new SSL certificate request for cld-blu-13.cloud.pd.infn.it
  Info: Certificate Request fingerprint (SHA256): D4:A6:AB:5B:2B:64:C6:05:09:DB:FF:66:0D:B8:D5:67:08:29:BD:BE:B6:EA:1D:8E:32:DC:1F:95:8F:C4:12:B5
  Info: Caching certificate for ca
  Exiting; no certificate found and waitforcert is disabled

• issue puppet cert sign cld-blu-13.cloud.pd.infn.it

• issue once again puppet agent -t You will see the client syncs with the server

  root@cld-blu-13 ~ # puppet agent -t
  Info: Caching certificate for cld-blu-13.cloud.pd.infn.it
  Info: Caching certificate_revocation_list for ca
  Info: Caching certificate for cld-blu-13.cloud.pd.infn.it
  Notice: Ignoring --listen on onetime run
  Info: Retrieving pluginfacts
  Info: Retrieving plugin
  Info: Loading facts
  Error: NetworkManager is not running.
  Info: Caching catalog for cld-blu-13.cloud.pd.infn.it
  Info: Applying configuration version '1462266065'
  Notice: Finished catalog run in 13.63 seconds