The list of services without TLS that ATS needs to connect to (T210411) was missing debmonitor, given that debmonitor.discovery.wmnet does listen on 443.
The TLS certificate for debmonitor.discovery.wmnet did not list debmonitor.wikimedia.org in the SAN field, causing HTTP requests going via ATS to result in 502 errors. I've re-created the certificate for debmonitor on the puppetmaster by using cergen and including both debmonitor.wikimedia.org and debmonitor.discovery.wmnet in SAN.
This is however not enough to fix ATS request routing to debmonitor, as the origins expect a client certificate to be supplied for TLS connections to go through.
# Internal-only HTTPS listener for debmonitor clients to POST their package lists. # Clients will be authenticating with the Puppet certificate to ensure that each # host can update only its own packages.
All debmonitor requests going via ATS now result in 400 errors.