On several hosts such as http://shinken.wmflabs.org/service/deployment-mx/Puppet%20errors I'm getting:
labs-puppetmaster/Labs Puppetmaster HTTPS is UNKNOWN since 4M 3w 2d 23h 9m 5s
I'm not sure what that means but it doesn't look right to me. Maybe routing is bad or bad SSL route?
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| Fix Ifa0b210f: Fix another caller of this function to not break | operations/puppet | production | +1 -1 |
The "Labs Puppetmaster HTTPS" check checks whether https://labs-puppetmaster.wikimedia.org:8140/ returns the expected HTTP status 400 Bad Request. According to the docs:
refusals and timeouts return STATE_CRITICAL other errors return STATE_UNKNOWN.
The "other error" here might be that the host uses a self-signed certificate (so no connection is established to begin with and the actual check for the HTTP response status cannot be checked). Yuvi added it back in 2014, but he's not around any more. Probably WMCS can help sort this out.
It's supposed to have a certificate signed like that, clients of that puppetmaster will trust it as it's added to their trust store, clients of other puppetmasters (e.g. in beta) will not trust it as a different puppetmaster is in charge. I'm not sure why that check is in place for hosts that do not use the labs central puppetmaster, but since these checks are run on the shinken server and that uses the central labs puppetmaster, it should Just Work
Looks like this was broken by @herron in https://gerrit.wikimedia.org/r/#/c/392423/ - check_https_port_status was changed to require an extra argument, but the shinken caller was not updated
Change 435075 had a related patch set uploaded (by Alex Monk; owner: Alex Monk):
[operations/puppet@production] Fix Ifa0b210f: Fix another caller of this function to not break
Change 435075 merged by Dzahn:
[operations/puppet@production] Fix Ifa0b210f: Fix another caller of this function to not break
Per the link in the task description labs-puppetmaster/Labs Puppetmaster HTTPS is OK since 19m 45s