Page MenuHomePhabricator
Create Task
Maniphest T262328

Standalone puppetmaster seems broken, possibly due to FQDN changes
Closed, InvalidPublic
Actions

Description

Reported by @razzi and @Ottomata:
There's an issue with a standalone created last week running buster named razzi-puppetmaster.analytics.eqiad.wmflabs, which is a fine client of itself, but on a new client:

root@razzi-puppet-client:~# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]

It appears that this is just a matter of adding another name to the puppetmaster's cert so DNS matches up or something like that.

Related Objects
Search...

Event Timeline

Bstorm created this task.Sep 8 2020, 9:11 PM
Restricted Application removed a project: Patch-For-Review. · View Herald TranscriptSep 8 2020, 9:11 PM
nskaggs triaged this task as Medium priority.Oct 20 2020, 4:38 PM
nskaggs moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.
razzi added a comment.Oct 21 2020, 3:19 PM

I hadn't been using razzi-puppetmaster or razzi-puppet-client for a bit and removed them in the Cloud VPS 2020 Purge. If necessary I can recreate that setup; it consisted of creating a standalone puppetmaster following https://wikitech.wikimedia.org/wiki/Help:Standalone_puppetmaster#How_can_I_use_a_local_Puppetmaster? (we didn't enable autosigning on the puppetmaster) and running the following 3 commands got razzi-puppet-client as per the client setup instructions:

sudo -i puppet agent --test --verbose
sudo rm -rf /var/lib/puppet/ssl
sudo -i puppet agent --test --verbose

The final puppet agent produced the error output we reported.

Andrew closed this task as Invalid.Oct 27 2020, 3:24 PM

I'm unable to reproduce this. Please re-open if you find this problem again in the future.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL