Page MenuHomePhabricator
Paste P62413

(An Untitled Masterwork)
ActivePublic
Actions

Authored by cmooney on Wed, May 15, 10:32 AM.
Tags
None
Referenced Files
F53310537: raw-paste-data.txt
Wed, May 15, 10:32 AM
Subscribers
None
cmooney@cumin1002:~$ sudo cookbook sre.network.tls cloudsw1-e4-eqiad
Acquired lock for key /spicerack/locks/cookbooks/sre.network.tls: {'concurrency': 20, 'created': '2024-05-15 10:29:00.821928', 'owner': 'cmooney@cumin1002 [198712]', 'ttl': 1800}
START - Cookbook sre.network.tls for network device cloudsw1-e4-eqiad
cloudsw1-e4-eqiad: ❌ Can't connect to device, assuming initial bootstrap.
cloudsw1-e4-eqiad: 🔏 cfssl called with operation: gencert.
Exception raised while executing cookbook sre.network.tls:
Traceback (most recent call last):
File "/srv/deployment/spicerack/cookbooks/sre/network/tls.py", line 176, in _cfssl_command
cfssl_raw = run(shlex.split(command), capture_output=True, text=True, check=True, input=data_in)
File "/usr/lib/python3.9/subprocess.py", line 528, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['cfssl', 'gencert', '-config', '/etc/cfssl/client-cfssl.conf', '-tls-remote-ca', '/var/lib/puppet/ssl/certs/ca.pem', '-mutual-tls-client-cert', '/var/lib/puppet/ssl/certs/cumin1002.eqiad.wmnet.pem', '-mutual-tls-client-key', '/var/lib/puppet/ssl/private_keys/cumin1002.eqiad.wmnet.pem', '-label', 'network_devices', '-']' returned non-zero exit status 1.
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/spicerack/_menu.py", line 250, in _run
raw_ret = runner.run()
File "/srv/deployment/spicerack/cookbooks/sre/network/tls.py", line 109, in run
new_cert_bundle = self.generate_new_cert()
File "/srv/deployment/spicerack/cookbooks/sre/network/tls.py", line 191, in generate_new_cert
return self._cfssl_command('gencert', csr_json)
File "/srv/deployment/spicerack/cookbooks/sre/network/tls.py", line 180, in _cfssl_command
raise RuntimeError(f"{self.device}: CFSSL error while generating certificate:\n{exc.stderr}") from exc
RuntimeError: cloudsw1-e4-eqiad: CFSSL error while generating certificate:
2024/05/15 10:31:12 [INFO] generate received request
2024/05/15 10:31:12 [INFO] received CSR
2024/05/15 10:31:12 [INFO] generating key: ecdsa-256
2024/05/15 10:31:12 [INFO] encoded CSR
2024/05/15 10:31:12 [INFO] Using client auth with mutual-tls-cert: /var/lib/puppet/ssl/certs/cumin1002.eqiad.wmnet.pem and mutual-tls-key: /var/lib/puppet/ssl/private_keys/cumin1002.eqiad.wmnet.pem
2024/05/15 10:31:12 [INFO] Using trusted CA from tls-remote-ca: /var/lib/puppet/ssl/certs/ca.pem
{"code":7400,"message":"failed POST to https://pki.discovery.wmnet:443/api/v1/cfssl/authsign: Post \"https://pki.discovery.wmnet:443/api/v1/cfssl/authsign\": remote error: tls: certificate required"}
Released lock for key /spicerack/locks/cookbooks/sre.network.tls: {'concurrency': 20, 'created': '2024-05-15 10:29:00.821928', 'owner': 'cmooney@cumin1002 [198712]', 'ttl': 1800}
END (FAIL) - Cookbook sre.network.tls (exit_code=99) for network device cloudsw1-e4-eqiad
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL