This may be a crazy question, but do we have to keep the generated client certs on the puppetca? What would be the harm in deleting them? I ask because we have our puppetca geographically redundant, and we keep the certs synced with our old friend rsync. If we didn''t even try to store the certs, we wouldn''t have to keep them in sync. We could run the CAs active-active. I''m pretty sure puppet-agent and server will continue to work just fine, right? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Hi, I concur that cryptographically, there is absolutely no sense in keeping the signed certificates around. That being said, I''m not entirely sure that the puppet master will work after removing them, but I expect it will. Just give it a shot. You can always move them back in :-) Cheers, Felix On 03/08/2013 05:36 PM, Mason Turner wrote:> This may be a crazy question, but do we have to keep the generated client certs on the puppetca? What would be the harm in deleting them? > > I ask because we have our puppetca geographically redundant, and we keep the certs synced with our old friend rsync. > > If we didn''t even try to store the certs, we wouldn''t have to keep them in sync. We could run the CAs active-active. I''m pretty sure puppet-agent and server will continue to work just fine, right?-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
We''ve had the occasional fat finger in the client certs directory and all certs being deleted. Everything carried on as usual... John On 13 March 2013 20:36, Felix Frank <felix.frank@alumni.tu-berlin.de> wrote:> Hi, > > I concur that cryptographically, there is absolutely no sense in keeping > the signed certificates around. > > That being said, I''m not entirely sure that the puppet master will work > after removing them, but I expect it will. > > Just give it a shot. You can always move them back in :-) > > Cheers, > Felix > > On 03/08/2013 05:36 PM, Mason Turner wrote: > > This may be a crazy question, but do we have to keep the generated > client certs on the puppetca? What would be the harm in deleting them? > > > > I ask because we have our puppetca geographically redundant, and we keep > the certs synced with our old friend rsync. > > > > If we didn''t even try to store the certs, we wouldn''t have to keep them > in sync. We could run the CAs active-active. I''m pretty sure puppet-agent > and server will continue to work just fine, right? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > >-- John Warburton Ph: 0417 299 600 Email: jwarburton@gmail.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.