Hi Derek, 2010/11/12 Derek J. Balling <dr...@megacity.org>
> [...] > Nope. Because "autosign" doesn't also "auto-overwrite". > > - New Host "foo001.domain.tld" is created > - Certs are exchanged for foo001 with the puppetmaster, life is good, > autosigned > - Host foo001.domain.tld is retired > - Replacement Host "foo001.domain.tld" is created > - foo001 tries to talk to puppetmaster, presenting brand new certs. They > don't match what the master has for that host. It tells foo001 to > pound-sand. > > At that point, I have to manually log into the CA and clean out the > certificates for foo001. I also have to go out to foo001, and blow away all > ITS certs, since it's been given a cert it has no idea what to do with. > removing the certificate is part of the retirement process, as well as removing the DNS entry, free up the IP in the CMDB, remove hardware from rack and what else needs to be done when a box is retired. Nearly all of this stuff could be scripted except the removal from the rack. Kind regards, Thomas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
