The etcd-v3.[eqiad|codfw].wmnet certs used by Nginx on the conf* hosts are currently using a certificate signed by the old Puppet 5 CA using the sslcert::certificate() define and cergen. They need to be moved to the PKI before the conf servers can be migrated to Puppet 7.
profile::etcd::v3 needs to switch to PKI certs as well, there's a Hiera flag use_pki_certs to that effect (already in use by the other etcd clusters we run).