On puppetmaster1001.wikimedia.org:
andrew@puppetmaster1001:/srv/private/modules/secret/secrets/puppetmaster$ tail /etc/puppet/puppet.conf storeconfigs = true storeconfigs_backend = puppetdb stringify_facts = false always_cache_features = true trusted_node_data = true # SSL ssldir = /var/lib/puppet/server/ssl/ hostcert = /var/lib/puppet/server/ssl/certs/puppetmaster1001.eqiad.wmnet.pem hostprivkey = /var/lib/puppet/server/ssl/private_keys/puppetmaster1001.eqiad.wmnet.pem andrew@puppetmaster1001:/srv/private/modules/secret/secrets/puppetmaster$ sudo ls /var/lib/puppet/server/ssl/certs/puppetmaster1001.eqiad.wmnet.pem ls: cannot access '/var/lib/puppet/server/ssl/certs/puppetmaster1001.eqiad.wmnet.pem': No such file or directory andrew@puppetmaster1001:/srv/private/modules/secret/secrets/puppetmaster$ sudo ls /var/lib/puppet/server/ssl/private_keys/puppetmaster1001.eqiad.wmnet.pem ls: cannot access '/var/lib/puppet/server/ssl/private_keys/puppetmaster1001.eqiad.wmnet.pem': No such file or directory andrew@puppetmaster1001:/srv/private/modules/secret/secrets/puppetmaster$
Both $hostcert and $hostprivkey refer to files that don't actually exist. Clearly we're getting along fine without them, but this still seems kind of bad... I'm trying to troubleshoot an issue with a different puppetmaster (T181523) and have discovered that puppetmaster1001 is maybe not a great example to follow.