Page MenuHomePhabricator

Standalone puppetmaster seems broken, possibly due to FQDN changes
Closed, InvalidPublic

Description

Reported by @razzi and @Ottomata:
There's an issue with a standalone created last week running buster named razzi-puppetmaster.analytics.eqiad.wmflabs, which is a fine client of itself, but on a new client:

root@razzi-puppet-client:~# puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=razzi-puppetmaster.analytics.eqiad.wmflabs]

It appears that this is just a matter of adding another name to the puppetmaster's cert so DNS matches up or something like that.

Event Timeline

nskaggs triaged this task as Medium priority.Oct 20 2020, 4:38 PM
nskaggs moved this task from Inbox to Doing on the cloud-services-team (Kanban) board.

I hadn't been using razzi-puppetmaster or razzi-puppet-client for a bit and removed them in the Cloud VPS 2020 Purge. If necessary I can recreate that setup; it consisted of creating a standalone puppetmaster following https://wikitech.wikimedia.org/wiki/Help:Standalone_puppetmaster#How_can_I_use_a_local_Puppetmaster? (we didn't enable autosigning on the puppetmaster) and running the following 3 commands got razzi-puppet-client as per the client setup instructions:

sudo -i puppet agent --test --verbose
sudo rm -rf /var/lib/puppet/ssl
sudo -i puppet agent --test --verbose

The final puppet agent produced the error output we reported.

I'm unable to reproduce this. Please re-open if you find this problem again in the future.