On Wed, Jun 10, 2015 at 05:56:57AM -0700, jcbollinger wrote: > On Tuesday, June 9, 2015 at 4:03:42 PM UTC-5, Gabriel Filion wrote: > > On 09/06/15 12:14 PM, Andrés Abelardo Villarroel Acosta wrote: > > I´m not puppet expert, and I know this may be a question completely > > relative to my environment, I just want to know why when I run > > > > puppet cert clean > > humm .. the text below gives the impression that the command you're > running is actually revoking every certificate it knows of, which is not > supposed to happen unless you specify "--all". > > What version of puppet are you running on your puppet master?
I see that sort of output when I 'puppet cert clean certname' with a certname that I have signed and cleaned a number of times (rebuilding a test host). 3.7.2 on agent and master. I see a large number of certs being revoked although obviously only the latest one was signed. > Indeed. "puppet cert clean" by itself should not do anything other than > produce a diagnostic, as a hostname is required (for "clean") unless > '--all' is specified. This applies both to Puppet 3 and to Puppet 4, so > if different behavior is observed then I'm sure PL would appreciate a > ticket. > > If the "--all" option is assumed, then the expected behavior would be to > revoke every still-valid certificate ever signed by the CA, and to remove > the associated CSRs and certs. This is probably not what you want. If in > fact the CA has thousands of outstanding certs, however, then the process > indeed could take a long time. In that case, you would be wise to > consider whether you should expect thousands of certs, as few sites have > multiple thousands of machines under management by the same (logical) > master. Based on certificate serial numbers, though,it looks like your CA > indeed has signed more than 160K certs. > > John > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [1]puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > > [2]https://groups.google.com/d/msgid/puppet-users/7bc96333-bb66-4520-b990-5924c0afc414%40googlegroups.com. > For more options, visit [3]https://groups.google.com/d/optout. > > References > > Visible links > 1. mailto:puppet-users+unsubscr...@googlegroups.com > 2. > https://groups.google.com/d/msgid/puppet-users/7bc96333-bb66-4520-b990-5924c0afc414%40googlegroups.com?utm_medium=email&utm_source=footer > 3. https://groups.google.com/d/optout -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20150610135551.GA27178%40iniquitous.heresiarch.ca. For more options, visit https://groups.google.com/d/optout.
