Page MenuHomePhabricator
Create Task
Maniphest T268964

phabricator-stage-1001.devtools.eqiad1.wikimedia.cloud fails puppet
Closed, ResolvedPublic
Actions

Description

Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate rejected): [ok for /CN=puppetmaster-1001.devtools.eqiad1.wikimedia.cloud]

Details

SubjectRepoBranchLines +/-
devtools: update puppetmaster DNS domainoperations/puppetproduction+2 -1
Customize query in gerrit

Related Objects

Event Timeline

hashar created this task.Nov 30 2020, 7:55 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 30 2020, 7:55 AM
hashar added a comment.Nov 30 2020, 8:06 AM

I have manually edit /etc/puppet/puppet.conf to point to the generic puppet master: puppetmaster.cloudinfra.wmflabs.org

Removed /var/lib/puppet/ssl

That is still changed though:

Notice: /Stage[main]/Base::Puppet/Base::Puppet::Config[main]/File[/etc/puppet/puppet.conf.d/10-main.conf]/content: 
--- /etc/puppet/puppet.conf.d/10-main.conf	2020-11-30 08:02:57.379634719 +0000
+++ /tmp/puppet-file20201130-32108-1od6utp	2020-11-30 08:04:23.722684248 +0000
@@ -11,7 +11,7 @@
 factpath = $vardir/lib/facter
 
 [agent]
-server = puppetmaster.cloudinfra.wmflabs.org
+server = puppetmaster-1001.devtools.eqiad.wmflabs

Because puppet.git has:

hieradata/cloud/eqiad1/devtools/common.yaml:158:profile::puppetdb::master: puppetmaster-1001.devtools.eqiad.wmflabs
hieradata/cloud/eqiad1/devtools/common.yaml:159:profile::puppetmaster::common::puppetdb_host: puppetmaster-1001.devtools.eqiad.wmflabs
hieradata/cloud/eqiad1/devtools/common.yaml:166:  puppetmaster-1001.devtools.eqiad.wmflabs:
hieradata/cloud/eqiad1/devtools/common.yaml:167:    - { worker: puppetmaster-1001.devtools.eqiad.wmflabs, loadfactor: 10 }
hieradata/cloud/eqiad1/devtools/hosts/phabricator-stage-1001.yaml:1:puppetmaster: puppetmaster-1001.devtools.eqiad.wmflabs
hashar added subscribers: Dzahn, 20after4, Paladox.Nov 30 2020, 8:12 AM

There is something broken with the Puppet master configuration for phabricator-stage-1001 and I can't quite figure it out :-\

Dzahn added a comment.EditedNov 30 2020, 2:43 PM
In T268964#6654787, @hashar wrote:

I have manually edit /etc/puppet/puppet.conf to point to the generic puppet master: puppetmaster.cloudinfra.wmflabs.org

Please don't. This is using our own local puppet master. And we don't manually edit config.

Dzahn added a comment.Nov 30 2020, 2:46 PM

It was previously broken by others trying to change puppet masters, apparently.

Dzahn claimed this task.Nov 30 2020, 2:54 PM
Dzahn removed a project: Release-Engineering-Team (Development services).
hashar added a comment.Nov 30 2020, 3:07 PM

It was broken due to some certificate issue. I tried switching to puppetmaster.cloudinfra.wmflabs.org cause that sometimes fix the cert. Puppet eventually set back the previous puppet master. Maybe there is an issue related to the instance FQDN used in the certificate? Anyway I haven't touched anything else after my short investigation.

gerritbot added a comment.Dec 14 2020, 8:18 AM

Change 649275 had a related patch set uploaded (by Hashar; owner: Hashar):
[operations/puppet@production] devtools: update puppetmaster DNS domain

https://gerrit.wikimedia.org/r/649275

gerritbot added a project: Patch-For-Review.Dec 14 2020, 8:18 AM
hashar claimed this task.Dec 14 2020, 8:29 AM

I fixed it by changing the Puppetmaster FQDN:

Instance Hiera config
- puppetmaster: puppetmaster-1001.devtools.eqiad.wmflabs
+ puppetmaster: puppetmaster-1001.devtools.eqiad1.wikimedia.cloud
gerritbot added a comment.Dec 14 2020, 4:55 PM

Change 649275 merged by Dzahn:
[operations/puppet@production] devtools: update puppetmaster DNS domain

https://gerrit.wikimedia.org/r/649275

Maintenance_bot removed a project: Patch-For-Review.Dec 14 2020, 5:10 PM
hashar closed this task as Resolved.Dec 14 2020, 5:50 PM
Dzahn added a comment.Dec 14 2020, 6:10 PM

Thank you! I was just checking on that instance as well and fixing it was on my list but did not get to it on Friday.

I see some other puppet warnings (for example related to aphlict) but the puppet run does finish :)

(The actual reason is not what was expected though)

Dzahn awarded a token.Dec 14 2020, 6:18 PM
Dzahn mentioned this in T299997: Puppet failure on phabricator-stage-1001.devtools.Apr 20 2022, 4:55 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL