Page MenuHomePhabricator

Puppet failing on deployment-parsoid12.deployment-prep.eqiad1.wikimedia.cloud due to cfssl signing failure
Closed, ResolvedPublic

Description

Manual exec of failing puppet action to show error message:

$ sudo -i /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/localcerts/pki_api_CA.pem -mutual-tls-client-cert /var/lib/puppet/ssl/certs/deployment-parsoid12.deployment-prep.eqiad1.wikimedia.cloud.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deployment-parsoid12.deployment-prep.eqiad1.wikimedia.cloud.pem -label deployment_prep_eqiad1_wikimedia_cloud -profile server /etc/envoy/ssl/deployment-prep_eqiad1_wikimedia_cloud__parsoid_svc_deployment-prep_eqiad1_wikimedia_cloud_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/deployment-prep_eqiad1_wikimedia_cloud__parsoid_svc_deployment-prep_eqiad1_wikimedia_cloud_server
2021/07/09 14:43:28 [INFO] Using client auth with mutual-tls-cert: /var/lib/puppet/ssl/certs/deployment-parsoid12.deployment-prep.eqiad1.wikimedia.cloud.pem and mutual-tls-key: /var/lib/puppet/ssl/private_keys/deployment-parsoid12.deployment-prep.eqiad1.wikimedia.cloud.pem
2021/07/09 14:43:28 [INFO] Using trusted CA from tls-remote-ca: /etc/ssl/localcerts/pki_api_CA.pem
{"code":7400,"message":"failed POST to https://pki-intermediate.pki.eqiad1.wikimedia.cloud:443/api/v1/cfssl/authsign: Post \"https://pki-intermediate.pki.eqiad1.wikimedia.cloud:443/api/v1/cfssl/authsign\": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"}
Failed to parse input: unexpected end of JSON input

Event Timeline

Mentioned in SAL (#wikimedia-releng) [2021-07-09T14:47:11Z] <bd808> Slienced puppet failure alert for deployment-parsoid12 for 7 days (T286375)

Majavah claimed this task.
Majavah added a subscriber: Majavah.

Fixed by resolving merge conflicts on deployment-puppetmaster04. Closing this one, the larger issues are tracked in T161675