On Tuesday, June 16, 2015 at 12:27:28 PM UTC-7, Andrés Abelardo Villarroel Acosta wrote: > > > > On Wednesday, June 10, 2015 at 6:55:53 AM UTC-7, Christopher Wood wrote: >> >> On Wed, Jun 10, 2015 at 05:56:57AM -0700, jcbollinger wrote: >> > On Tuesday, June 9, 2015 at 4:03:42 PM UTC-5, Gabriel Filion wrote: >> > >> > On 09/06/15 12:14 PM, Andrés Abelardo Villarroel Acosta wrote: >> > > I´m not puppet expert, and I know this may be a question >> completely >> > > relative to my environment, I just want to know why when I run >> > > >> > > puppet cert clean >> > >> > humm .. the text below gives the impression that the command >> you're >> > running is actually revoking every certificate it knows of, which >> is not >> > supposed to happen unless you specify "--all". >> > >> > What version of puppet are you running on your puppet master? >> >> I see that sort of output when I 'puppet cert clean certname' with a >> certname that I have signed and cleaned a number of times (rebuilding a >> test host). 3.7.2 on agent and master. I see a large number of certs being >> revoked although obviously only the latest one was signed. >> > > I´m also rebuilding the host and the same certname have been signed and > cleaned up multiple times, the version on the master is 3.7.4 > > Is there a way to prune old certificate serials? >
puppet cert re-inventory Solved my problem. https://docs.puppetlabs.com/references/3.7.4/man/cert.html#ACTIONS > > Thanks. > > --av.- > > pd. sorry for top-posting on my previous responses :-P > > >> >> > Indeed. "puppet cert clean" by itself should not do anything other >> than >> > produce a diagnostic, as a hostname is required (for "clean") unless >> > '--all' is specified. This applies both to Puppet 3 and to Puppet >> 4, so >> > if different behavior is observed then I'm sure PL would appreciate >> a >> > ticket. >> > >> > If the "--all" option is assumed, then the expected behavior would >> be to >> > revoke every still-valid certificate ever signed by the CA, and to >> remove >> > the associated CSRs and certs. This is probably not what you want. >> If in >> > fact the CA has thousands of outstanding certs, however, then the >> process >> > indeed could take a long time. In that case, you would be wise to >> > consider whether you should expect thousands of certs, as few sites >> have >> > multiple thousands of machines under management by the same >> (logical) >> > master. Based on certificate serial numbers, though,it looks like >> your CA >> > indeed has signed more than 160K certs. >> > >> > John >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups >> > "Puppet Users" group. >> > To unsubscribe from this group and stop receiving emails from it, >> send an >> > email to [1]puppet-users...@googlegroups.com. >> > To view this discussion on the web visit >> > [2] >> https://groups.google.com/d/msgid/puppet-users/7bc96333-bb66-4520-b990-5924c0afc414%40googlegroups.com. >> >> >> > For more options, visit [3]https://groups.google.com/d/optout. >> > >> > References >> > >> > Visible links >> > 1. mailto:puppet-users+unsubscr...@googlegroups.com >> > 2. >> https://groups.google.com/d/msgid/puppet-users/7bc96333-bb66-4520-b990-5924c0afc414%40googlegroups.com?utm_medium=email&utm_source=footer >> >> > 3. https://groups.google.com/d/optout >> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c4c86e64-699a-48ac-8344-81851103b244%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
