Page MenuHomePhabricator
Create Task
Maniphest T208885

Puppet errors on test-twemproxy project
Closed, ResolvedPublic
Actions

Description

Puppet has been failing on these servers:

  • mc-clusterA-1.test-twemproxy.eqiad.wmflabs
  • mc-clusterA-2.test-twemproxy.eqiad.wmflabs
  • mc-clusterB-1.test-twemproxy.eqiad.wmflabs
  • mc-clusterB-2.test-twemproxy.eqiad.wmflabs

If these are one-off test servers, please let us know so we can delete them.

Otherwise, could you take a few minutes to fix that? Thank you!

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolved GTirloniT208856 Instances with Puppet failures
 Resolvedbd808T208885 Puppet errors on test-twemproxy project

Event Timeline

GTirloni triaged this task as High priority.Nov 6 2018, 7:52 PM
GTirloni created this task.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 6 2018, 7:52 PM
bd808 subscribed.Nov 6 2018, 10:43 PM

On mc-clustera-1.test-twemproxy.eqiad.wmflabs:

$ puppet agent -tv
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=unknown state: sslv3 alert certificate revoked

Fixed with:

$ rm -rf /var/lib/puppet/ssl
$ puppet agent -tv

Another victim of eqiad1-r migration strangeness?

bd808 closed this task as Resolved.Nov 6 2018, 10:52 PM
bd808 claimed this task.
bd808 added a subscriber: Andrew.

Same problem and fix on mc-clusterA-2.test-twemproxy.eqiad.wmflabs, mc-clusterB-1.test-twemproxy.eqiad.wmflabs, and mc-clusterB-2.test-twemproxy.eqiad.wmflabs

@Andrew, does this seem like a problem that could be caused by the region migration script? Is there a way that a "delete" event could have been sent out that made labs-puppetmaster.wikimedia.org revoke the client certs?

Andrew added a comment.Nov 7 2018, 12:55 AM

It's unlikely that moving the clients would break that. It's /possible/ that moving the master itself broke things but I haven't seen that happen before.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL