After migrating the pki infrastructure to puppet7 we started to see issues with certificate renewal. It seems the main error seen was
```
"https://pki.discovery.wmnet:443/api/v1/cfssl/authsign\": x509: issuer name does not match subject from issuing certificate
```
which is caused by the [[ https://github.com/ikapelyukhin/go-x509-issuer-name-does-not-match-subject, | strict processing in go ]] and the lax ssl implementation in puppet [insert puppet bug here]
It was also noticed that the ocsp refresh process was failing with
```
ERROR:root:debmonitor issue with SQL query: (2003, "Can't connect to MySQL server on 'm1-master.eqiad.wmnet' ([SSL:CERTIFICATE_VERIFY_FAILED] certificate veri>
```
which was fixed by [ https://gerrit.wikimedia.org/r/c/operations/puppet/+/970267/ | updating the ca trust bundle ]
To fix the issue i have now de-pooled pki2002 which is still using puppet7 so we can debug and rolled back pki1001 to puppet5