Installation of 'puppetmaster' package prevents Exec[Certificate_Check] from ever executing.

[diranged]

The Exec[Certificate_Check] resource requires File[/etc/puppet/puppet.conf]. This file resource though requires Package[puppetmaster]. The problem with this flow is that the instant the Package[puppetmaster] is installed, it creates any missing SSL files on its own. When it does this, the Exec[Certificate_Check] code sees the file in-place and never executes.

The net result here is that the certificate is never re-created with the dns_alt_names settings. My short-term hack is to install puppetmaster before we ever execute Puppet on our masters, then shut the service down and destroy the /var/lib/puppet/ssl directory. This is a hack though. There should be a cleaner fix.