[14:54:14] jbond42: hi, trying to follow https://wikitech.wikimedia.org/wiki/PKI/Clients but have a few questions, first, where are the certificate files stored? and second, how do I know what should the `label` field be set to? [14:59:06] Majavah: by default the certs are stored in /etc/cfssl/ssl/ one folder per cert, however you can override this using the outdir paramter to cfdssl::cert https://github.com/wikimedia/puppet/blob/production/modules/cfssl/manifests/cert.pp#L15 [14:59:39] the label is the CA which you want to use to sign, for deployment prep use `deployment-prep_eqiad1_wikimedia_cloud` [15:03:53] dcaro: o/ ok to merge? [15:04:04] elukey:yes, sorry [15:04:06] thanks [15:04:08] :) [15:04:46] done! [15:04:56] 👍 [15:10:50] jbond42: I tried https://gerrit.wikimedia.org/r/c/operations/puppet/+/674077/ but jenkins is complaining, what's the correct way to get the cert paths? should I just overwrite it and put them inside /etc/etcd or what? [15:17:03] Majavah: instead of include cfssl yuo should include profile::pki::client [15:17:40] as to the file paths what you have looks correct to me, but you can also specify the outfir which ever is prefreble [15:18:39] wouldn't I need to include ::cfssl to get the ::cfssl::conf_dir variable needed for paths? I don't see that on profile::pki::client [15:33:16] Majavah: ahh i see. so first you need to include profile::pki::client on the node as that sets the node as a client of the pki server which is needed to request certs. [15:34:31] the profile dose include cfssl so you would have access however its not obvious and i would normaly also include cfssl explicitly if i wanted to use cfssl::conf_dir. however the style guide dosn;t like this pattern [15:40:04] _joe_: you wanted to implement etcd ssl using the new pki service, want to test https://gerrit.wikimedia.org/r/c/operations/puppet/+/674077/ at some point? [15:40:35] Majavah: considering the style guide i think the cleaner option may be to spcify your own outdir = /etc/etcd/ssl [15:41:00] jbond42: sure, I can do that too [15:52:10] <_joe_> Majavah: I don't have much time to look into it right now, but I'll try to take a look this week [15:52:20] thank you! [17:09:20] slides: https://commons.wikimedia.org/wiki/File:Debugging_MediaWiki.pdf [17:09:56] thanks legoktm! really enjoyed that [17:10:04] learned a lot also [17:24:12] ah thanks for the deck [20:45:51] legoktm: fatal.log is no more [20:46:07] channel fatal was folded into exception :) [21:12:20] Krinkle: and here I thought it was missing on mwlog because we just didn't have any fatals today :p thanks, I'll update the PDF in a bit [21:38:33] jbond42: btw, query_facts is deterministic, but the order appears arbitrary so I think I will add an explicit sort by hostname [21:41:55] legoktm: cool :) - yeah, we now have only 'error' (php stderr notice/warn/error, not thrown or caught) and 'exception' (anything throwable or otherwise fatalable) [23:06:09] > Cannot serve directory /srv/mediawiki/docroot/wikipedia.org/static/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm) found, and server-generated directory index forbidden by Options directive [23:06:16] seeing a bit of noise like this in the logs [23:06:43] is there something I can do to shut this up without changing the effective behaviour? E.g. telling it that it's not expected to find anything in the first place?