Change Details

After migrating the pki infrastructure to puppet7 we started to see issues with certificate renewal. It seems the main error seen was ``` "https://pki.discovery.wmnet:443/api/v1/cfssl/authsign\": x509: issuer name does not match subject from issuing certificate ``` which is caused by the [[ https://github.com/ikapelyukhin/go-x509-issuer-name-does-not-match-subject, | strict processing in go ]] and the lax ssl implementation in puppet [insert puppet bug here] It was also noticed that the ocsp refresh process was failing with ``` ERROR:root:debmonitor issue with SQL query: (2003, "Can't connect to MySQL server on 'm1-master.eqiad.wmnet' ([SSL:CERTIFICATE_VERIFY_FAILED] certificate veri> ``` which was fixed by [ https://gerrit.wikimedia.org/r/c/operations/puppet/+/970267/ | updating the ca trust bundle ] To fix the issue i have now de-pooled pki2002 which is still using puppet7 so we can debug and rolled back pki1001 to puppet5

After migrating the pki infrastructure to puppet7 we started to see issues with certificate renewal. It seems the main error seen was ``` "https://pki.discovery.wmnet:443/api/v1/cfssl/authsign\": x509: issuer name does not match subject from issuing certificate ``` which is caused by the [[ https://github.com/ikapelyukhin/go-x509-issuer-name-does-not-match-subject, | strict processing in go ]] and the lax ssl implementation in puppet [insert puppet bug here] It was also noticed that the ocsp refresh process was failing with ``` ERROR:root:debmonitor issue with SQL query: (2003, "Can't connect to MySQL server on 'm1-master.eqiad.wmnet' ([SSL:CERTIFICATE_VERIFY_FAILED] certificate veri> ``` which was fixed by [[ https://gerrit.wikimedia.org/r/c/operations/puppet/+/970267/ | updating the ca trust bundle ]] To fix the issue i have now de-pooled pki2002 which is still using puppet7 so we can debug and rolled back pki1001 to puppet5

After migrating the pki infrastructure to puppet7 we started to see issues with certificate renewal. It seems the main error seen was ``` "https://pki.discovery.wmnet:443/api/v1/cfssl/authsign\": x509: issuer name does not match subject from issuing certificate ``` which is caused by the [[ https://github.com/ikapelyukhin/go-x509-issuer-name-does-not-match-subject, | strict processing in go ]] and the lax ssl implementation in puppet [insert puppet bug here] It was also noticed that the ocsp refresh process was failing with ``` ERROR:root:debmonitor issue with SQL query: (2003, "Can't connect to MySQL server on 'm1-master.eqiad.wmnet' ([SSL:CERTIFICATE_VERIFY_FAILED] certificate veri> ``` which was fixed by [[ https://gerrit.wikimedia.org/r/c/operations/puppet/+/970267/ | updating the ca trust bundle ]] To fix the issue i have now de-pooled pki2002 which is still using puppet7 so we can debug and rolled back pki1001 to puppet5