Page MenuHomePhabricator
Create Task
Maniphest T350111

PKI system is unable to serve new certificates to debmonitor / other systems, causing puppet failures across the fleet.
Closed, DuplicatePublic
Actions

Description

Since this change was merged and applied

https://gerrit.wikimedia.org/r/c/operations/puppet/+/969937

It seems that the PKI subsystem has been unable to work:

  • ocsp refresh jobs fail to update the database as it seems the server doesn't have the old puppet CA in the main certstore anymore
  • Other servers don't seem to be able to refresh their certs from the PKI

As a consequence, puppet runs are broken across the fleet since last night at 17:40 UTC.

Details

SubjectRepoBranchLines +/-
P:pki: use wmf-ca-certificatesoperations/puppetproduction+2 -2
Customize query in gerrit

Related Objects

Event Timeline

Joe created this task.Oct 31 2023, 8:19 AM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 31 2023, 8:19 AM
Joe triaged this task as Unbreak Now! priority.Oct 31 2023, 8:20 AM
Joe updated the task description. (Show Details)
gerritbot added a comment.Oct 31 2023, 8:29 AM

Change 970267 had a related patch set uploaded (by Majavah; author: Majavah):

[operations/puppet@production] P:pki: use wmf-ca-certificates

https://gerrit.wikimedia.org/r/970267

gerritbot added a project: Patch-For-Review.Oct 31 2023, 8:29 AM
gerritbot added a comment.Oct 31 2023, 8:32 AM

Change 970267 merged by Jbond:

[operations/puppet@production] P:pki: use wmf-ca-certificates

https://gerrit.wikimedia.org/r/970267

jcrespo subscribed.Oct 31 2023, 8:50 AM
RhinosF1 subscribed.Oct 31 2023, 8:59 AM
Maintenance_bot removed a project: Patch-For-Review.Oct 31 2023, 9:10 AM
jbond closed this task as a duplicate of T350118: Investigate PKI errors.Oct 31 2023, 10:03 AM

The immediate incident has been resolved ill complete the investigation in T350118

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL