On Nov 11, 2010, at 6:26 PM, donavan wrote: > From your comment in #3958 I think autosign[1] with "*.domain.tld" > would work for you.
Nope. Because "autosign" doesn't also "auto-overwrite". - New Host "foo001.domain.tld" is created - Certs are exchanged for foo001 with the puppetmaster, life is good, autosigned - Host foo001.domain.tld is retired - Replacement Host "foo001.domain.tld" is created - foo001 tries to talk to puppetmaster, presenting brand new certs. They don't match what the master has for that host. It tells foo001 to pound-sand. At that point, I have to manually log into the CA and clean out the certificates for foo001. I also have to go out to foo001, and blow away all ITS certs, since it's been given a cert it has no idea what to do with. It's just ugly. Like I said in my ticket notes, I'll concede that for some people, it's a necessity, but there's clearly also a set of people for whom it is just unnecessary pain and suffering. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.