Page MenuHomePhabricator

Puppet failing on due to cfssl signing failure
Closed, ResolvedPublic


Manual exec of failing puppet action to show error message:

$ sudo -i /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/localcerts/pki_api_CA.pem -mutual-tls-client-cert /var/lib/puppet/ssl/certs/ -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/ -label deployment_prep_eqiad1_wikimedia_cloud -profile server /etc/envoy/ssl/deployment-prep_eqiad1_wikimedia_cloud__parsoid_svc_deployment-prep_eqiad1_wikimedia_cloud_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/deployment-prep_eqiad1_wikimedia_cloud__parsoid_svc_deployment-prep_eqiad1_wikimedia_cloud_server
2021/07/09 14:43:28 [INFO] Using client auth with mutual-tls-cert: /var/lib/puppet/ssl/certs/ and mutual-tls-key: /var/lib/puppet/ssl/private_keys/
2021/07/09 14:43:28 [INFO] Using trusted CA from tls-remote-ca: /etc/ssl/localcerts/pki_api_CA.pem
{"code":7400,"message":"failed POST to Post \"\": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"}
Failed to parse input: unexpected end of JSON input

Event Timeline

Mentioned in SAL (#wikimedia-releng) [2021-07-09T14:47:11Z] <bd808> Slienced puppet failure alert for deployment-parsoid12 for 7 days (T286375)

taavi claimed this task.
taavi added a subscriber: taavi.

Fixed by resolving merge conflicts on deployment-puppetmaster04. Closing this one, the larger issues are tracked in T161675