[10:03:28] <jbond>	 godog: fyi im mergin the rsyslog ossl patches now
[10:14:18] <godog>	 jbond: cheers! SGTM
[11:05:00] <godog>	 jbond: I see some failed errors at https://grafana.wikimedia.org/d/000000596/rsyslog?orgId=1&refresh=5m which I'm looking into
[11:06:10] <jbond>	 godog: ack
[11:21:23] <godog>	 jbond: it is toil::rsyslog_tls_remedy failing validation which fair enough, I'm tempted to remove the remedy now, alternatively what are the key/cert/ca to use locally in that case?
[11:21:36] <godog>	 i.e. use openssl s_client as root to connect to a local service
[11:23:10] <jbond>	 godog: has changing to openssl forced mtsl?
[11:23:18] <godog>	 it looks like it
[11:23:41] <godog>	 I think I'll remove the remedy, it was put in place for gnutls specifically
[11:23:48] <jbond>	 godog: ack sgtm
[11:23:56] <jbond>	 but tr its the puppet certs you would need to use
[11:24:20] <godog>	 ack, which ca file ?
[11:24:43] <godog>	 I guess certs/ca.pem
[11:25:03] <jbond>	 for the ca file you are genrally best to use /etc/ssl/certs/wmf-ca-certificates.crt which wil ltrust both old and new
[11:25:25] <godog>	 ack
[11:25:36] <jbond>	 you can se the following puppet function to return that path
[11:25:38] <jbond>	 profile::base::certificates::get_trusted_ca_path()
[11:25:51] <jbond>	 just in case we change it or something down the road
[11:26:54] <godog>	 good idea, are there equivalent helpers to get the puppet key/cert paths ?
[11:27:43] <jbond>	 godog: for the puppet certs use the facts
[11:27:54] <jbond>	 $facts['puppet_config']['hostcert']
[11:27:57] <godog>	 makes sense, thank you
[11:28:04] <jbond>	 $facts['puppet_config']['hostprivkey']
[11:28:08] <jbond>	 np
[14:08:47] <godog>	 an head scratcher so far https://phabricator.wikimedia.org/T351710
[14:08:59] <godog>	 especially the bit where rsyslog on centrallog1002 is all quiet
[14:09:07] <godog>	 in terms of errors that is
[14:59:52] <Southparkfan>	 Congrats on switching rsyslog from gnutls to openssl in prod :)