Manual exec of failing puppet action to show error message:
$ sudo -i /usr/bin/cfssl sign -config /etc/cfssl/client-cfssl.conf -tls-remote-ca /etc/ssl/localcerts/pki_api_CA.pem -mutual-tls-client-cert /var/lib/puppet/ssl/certs/deployment-parsoid12.deployment-prep.eqiad1.wikimedia.cloud.pem -mutual-tls-client-key /var/lib/puppet/ssl/private_keys/deployment-parsoid12.deployment-prep.eqiad1.wikimedia.cloud.pem -label deployment_prep_eqiad1_wikimedia_cloud -profile server /etc/envoy/ssl/deployment-prep_eqiad1_wikimedia_cloud__parsoid_svc_deployment-prep_eqiad1_wikimedia_cloud_server.csr | /usr/bin/cfssljson -bare /etc/envoy/ssl/deployment-prep_eqiad1_wikimedia_cloud__parsoid_svc_deployment-prep_eqiad1_wikimedia_cloud_server 2021/07/09 14:43:28 [INFO] Using client auth with mutual-tls-cert: /var/lib/puppet/ssl/certs/deployment-parsoid12.deployment-prep.eqiad1.wikimedia.cloud.pem and mutual-tls-key: /var/lib/puppet/ssl/private_keys/deployment-parsoid12.deployment-prep.eqiad1.wikimedia.cloud.pem 2021/07/09 14:43:28 [INFO] Using trusted CA from tls-remote-ca: /etc/ssl/localcerts/pki_api_CA.pem {"code":7400,"message":"failed POST to https://pki-intermediate.pki.eqiad1.wikimedia.cloud:443/api/v1/cfssl/authsign: Post \"https://pki-intermediate.pki.eqiad1.wikimedia.cloud:443/api/v1/cfssl/authsign\": x509: certificate relies on legacy Common Name field, use SANs or temporarily enable Common Name matching with GODEBUG=x509ignoreCN=0"} Failed to parse input: unexpected end of JSON input