On Tuesday, June 9, 2015 at 4:03:42 PM UTC-5, Gabriel Filion wrote: > > On 09/06/15 12:14 PM, Andrés Abelardo Villarroel Acosta wrote: > > I´m not puppet expert, and I know this may be a question completely > > relative to my environment, I just want to know why when I run > > > > puppet cert clean > > humm .. the text below gives the impression that the command you're > running is actually revoking every certificate it knows of, which is not > supposed to happen unless you specify "--all". > > What version of puppet are you running on your puppet master? > >
Indeed. "puppet cert clean" by itself should not do anything other than produce a diagnostic, as a hostname is required (for "clean") unless '--all' is specified. This applies both to Puppet 3 and to Puppet 4, so if different behavior is observed then I'm sure PL would appreciate a ticket. If the "--all" option is assumed, then the expected behavior would be to revoke every still-valid certificate ever signed by the CA, and to remove the associated CSRs and certs. This is probably not what you want. If in fact the CA has thousands of outstanding certs, however, then the process indeed could take a long time. In that case, you would be wise to consider whether you should *expect* thousands of certs, as few sites have multiple thousands of machines under management by the same (logical) master. Based on certificate serial numbers, though,it looks like your CA indeed has signed more than 160K certs. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7bc96333-bb66-4520-b990-5924c0afc414%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
