As discovered in T177374: decom wtp1001-wtp1024 hosts that are formally decom'd in the puppet CA (i.e. puppet cert list --all doesn't show the cert) can still run puppet successfully. In the wtp case reactivating the host in puppetdb and thus the host showing up in monitoring.
In practical terms this means enforcing checking puppet ca's crl when hosts are talking to puppet master(s)