Since this change was merged and applied
https://gerrit.wikimedia.org/r/c/operations/puppet/+/969937
It seems that the PKI subsystem has been unable to work:
- ocsp refresh jobs fail to update the database as it seems the server doesn't have the old puppet CA in the main certstore anymore
- Other servers don't seem to be able to refresh their certs from the PKI
As a consequence, puppet runs are broken across the fleet since last night at 17:40 UTC.