Page MenuHomePhabricator
Create Task
Maniphest T187042

toolforge: certificate issues in both tools-cdnproxy-0x.eqiad.wmflabs
Closed, ResolvedPublic
Actions

Description

Shinken reported that both servers tools-cdnproxy-01.eqiad.wmflabs and tools-cdnproxy-02.eqiad.wmflabs have issues with puppet.

The error is the same in both nodes:

aborrero@tools-cdnproxy-01:~$ sudo puppet agent -t -v
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: tools-puppetmaster-01.tools.eqiad.wmflabs]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: tools-puppetmaster-01.tools.eqiad.wmflabs]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: tools-puppetmaster-01.tools.eqiad.wmflabs]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: tools-puppetmaster-01.tools.eqiad.wmflabs]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: tools-puppetmaster-01.tools.eqiad.wmflabs]
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: tools-puppetmaster-01.tools.eqiad.wmflabs]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: tools-puppetmaster-01.tools.eqiad.wmflabs]

Related Objects

Event Timeline

aborrero created this task.Feb 12 2018, 10:16 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptFeb 12 2018, 10:16 AM
aborrero added a subscriber: Bstorm.Feb 12 2018, 10:23 AM

Oops, sorry. I just discovered these are new instances created by @Bstorm the other day.

Bstorm added a comment.Feb 12 2018, 3:27 PM

Yup. I have to figure out the next step on those. Sorry if they caused trouble.

Paladox added a subscriber: Paladox.Feb 12 2018, 3:30 PM

I think your need to regenerate the ssl cert by doing

rm -rf /var/lib/puppet/ssl

then puppet agent -tv

then sign the cert on the tools puppet master.

chasemp triaged this task as Medium priority.Feb 12 2018, 3:36 PM
aborrero reassigned this task from aborrero to Bstorm.Feb 12 2018, 3:51 PM
In T187042#3963717, @Bstorm wrote:

Yup. I have to figure out the next step on those. Sorry if they caused trouble.

No problem :-) My fault.

Bstorm added a comment.Feb 12 2018, 4:15 PM

Got the agents set up and syncing correctly.

Bstorm closed this task as Resolved.Feb 12 2018, 4:16 PM
Dzahn mentioned this in T318521: Migrate gitlab-test instance to bullseye.Jan 11 2023, 11:33 PM
Dzahn added a subscriber: Dzahn.Jan 31 2023, 10:51 PM

How was this fixed?

Content licensed under Creative Commons Attribution-ShareAlike 3.0 (CC-BY-SA) unless otherwise noted; code licensed under GNU General Public License (GPL) or other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL