coreone
commented
1 year ago We thought about this at one point, but we didn't really have a good way of tracking things because the directories often aren't empty to begin with. And, as you mentioned, a lot of the time it's the same place the OS places CA chains and the like. I think this is not something we would do given the risk of mistakenly deleting something important (and potentially hard to replace) on a system.
In keeping with Puppet philosophy of cleaning out unmanaged files, it would be nice if the module would do exactly that.
Much like /etc/sudoers.d, I've found that my servers are littered with unmanaged crt and key files in /etc/pki/tls/{certs,private}.
We'd have to be very careful, though. There are some symlinks (RHEL variants) that point to /etc/pki/ca-trust/extracted....