At the moment it runs getssl if the config file changes, but it doesn't depend on the certificate itself. This means that if the initial puppet run runs getssl and it fails for some reason (e.g. missing DNS entry - this could be more verbose too), then it never actually tries to run getssl again - you have to do it manually or wait for the cron job.
At the moment it runs getssl if the config file changes, but it doesn't depend on the certificate itself. This means that if the initial puppet run runs getssl and it fails for some reason (e.g. missing DNS entry - this could be more verbose too), then it never actually tries to run getssl again - you have to do it manually or wait for the cron job.