The hostcert and hostprivkey settings in puppet.conf on the puppetmasters point to files that don't exist. For example on puppetmaster1001:
puppetmaster1001:~# cat /etc/puppet/puppet.conf | grep ^host hostcert = /var/lib/puppet/server/ssl/certs/puppetmaster1001.eqiad.wmnet.pem hostprivkey = /var/lib/puppet/server/ssl/private_keys/puppetmaster1001.eqiad.wmnet.pem puppetmaster1001:~# ls /var/lib/puppet/server/ssl/certs/puppetmaster1001.eqiad.wmnet.pem ls: cannot access /var/lib/puppet/server/ssl/certs/puppetmaster1001.eqiad.wmnet.pem: No such file or directory puppetmaster1001:~# ls /var/lib/puppet/server/ssl/private_keys/puppetmaster1001.eqiad.wmnet.pem ls: cannot access /var/lib/puppet/server/ssl/private_keys/puppetmaster1001.eqiad.wmnet.pem: No such file or directory
A misconfiguration here is potentially dangerous. For example the debian puppet-master-passenger package post-install script checks if the configured hostcert file exists to determine if the puppet CA should be initialized.
# /var/lib/dpkg/info/puppet-master-passenger.postinst # # Initialize the puppet master CA and generate the master # certificate only if the host doesn't already have any puppet # ssl certificate. The ssl key and cert need to be available # (eg generated) before apache2 is configured and started # since apache2 ssl configuration uses the puppet master ssl # files. if [ ! -e "$(puppet master --configprint hostcert)" ]; then puppet cert generate $(puppet master --configprint certname) fi