[23:46:07] <mutante>	 anyone got "self-signed certificate in certificate chain" before when using reimage cookbook? failed puppet run
[23:46:37] <mutante>	 Cloud Services appears in chain for a prod VM. /OU=Cloud Services/CN=Wikimedia_Internal_Root_CA]
[23:48:33] <btullis>	 mutante: It might be that it's related to the puppet 7 roll-out. There have been lots of patches like this required recently, which update the puppet CA certificate to include a new bundle that supports puppet 5 and puppet 7: https://gerrit.wikimedia.org/r/c/operations/puppet/+/968666
[23:49:26] <mutante>	 btullis: thank you, yes, I did try to upgrade to puppet7. I thought it was already broken before that, but maybe not. looking!
[23:51:23] <btullis>	 The key thing with the puppet 7 upgrade is that the file `/etc/ssl/certs/Puppet_Internal_CA.pem` contains *only* the version 5 or version 7 CA's certificate. If you can use `/etc/ssl/certs/wmf-ca-certificates.crt' in its place, you should be away.
[23:52:04] <mutante>	 hmm, *nod*, except I don't knowingly use or the other, just some very simple role/profile that does basically nothing except installing 2 packages so far
[23:52:15] <mutante>	 and I have 2 VMs where one has the issue and the other does not :)
[23:52:44] <mutante>	 trying to reimage is already attempting to fix that the puppet cert was not signed
[23:54:32] <mutante>	 I think I will try what happens if I remove the "force puppet 7" Hiera key and use reimage again
[23:54:58] <mutante>	 cert wasn't signed before adding the puppet7 part.. hmmr
[23:55:38] <btullis>	 OK, understood.  I could, of course, be barking up the wrong tree. But this is the tracking ticket for changing the handling of `expose_puppet_certs` which is my best guess. https://phabricator.wikimedia.org/T340741 - Best wishes.
[23:55:40] <mutante>	 thanks again for valuable hints
[23:55:51] <btullis>	 yw
[23:55:53] <mutante>	 ACK, great