Cleaning out cert requests

Occasionally systems with incorrect hostnames will generate a certificate signing request on the puppet servers. Periodically clear these out on pupserver01-ec2-va with:

puppetserver ca list | awk '{print $1'} | xargs -n1 puppetserver ca clean --certname

Be careful to not specify --all which includes SIGNED certificates.

Host Decommissioning

On the puppet CA server (currently run 

puppet node deactivate ooo-forums4-dev-vm
puppet node clean ooo-forums4-dev-vm
# remove node from ASF DNS

Cleaning up old node resources

  1. puppet node deactivate <hostname> 
    • This will deactive the node and make it eligible for garbage collection from puppetdb.
    • This will cause it to be removed from ssh-keys and exported resources (for backuppc amongst other things)
  2. puppet node clean <hostname> 
    • This removes all of the cached facts associated with the VM under the old hostname. Removes:
      • Signed certificates - ($vardir/ssl/ca/signed/node.domain.pem)

      • Cached facts - ($vardir/yaml/facts/node.domain.yaml)

      • Cached node objects - ($vardir/yaml/node/node.domain.yaml)

      • Reports - (puppetdb, datadog_reports)

  3. Additionally, check PuppetDB for node resources:
    • on pupdb01-ec2-va  run:

      curl -X POST http://localhost:8080/pdb/query/v4/resources -H 'Content-Type:application/json' -d '{"query":["=","certname",""]}' | python3 -m json.tool | less
    • this queries the puppetdb service directly.

Client Setup

See Client Reference Guide