[Bug 1814911] Re: charm deployment fails, when using self-signed certificate, which has IP address only (SAN)

James Page james.page at ubuntu.com
Wed Mar 6 12:16:23 UTC 2019


<jamespage> James Page rbasak: the recommends does not exist in xenial BUT python-ipaddress is already installed on a xenial base image I think
12:11 <rbalint> Balint Reczey cjwatson, ok, sorry for the wrong vote
12:11 <jamespage> James Page so a happy co-incidence means that stuff works OK on xenial, but not on trusty, where python-ipaddress is not installed
12:12 rbasak: I'm actually OK with marking the xenial task as invalid - I fixed the UCA part with a UCA specific patch which we auto-apply to add the recommends
12:12 <rbasak> Robie Basak jamespage: OK - but it's currently in Xenial unapproved and not in Trusty unapproved.
12:13 <jamespage> James Page rbasak: that's true - but this is a UCA specific issue on trusty, not a general trusty issue
12:13 ricab → ricab|lunch
12:13 <rbasak> Robie Basak I see, OK.
12:13 <jamespage> James Page rbasak: xenial feeds trusty/mitaka in the UCA
12:13 <rbasak> Robie Basak ah
12:14 I think I understand the situation then, thanks.
12:14 Are we in agreement to drop the Xenial SRU then? I'm still open to it if you want to push for it; I would prefer not to do it though.
12:16 <jamespage> James Page rbasak: updated bug

** Changed in: cloud-archive/mitaka
       Status: Triaged => Fix Released

** Changed in: python-urllib3 (Ubuntu Xenial)
       Status: Triaged => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1814911

Title:
  charm deployment fails, when using self-signed certificate, which has
  IP address only (SAN)

Status in Charm Helpers:
  Invalid
Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive mitaka series:
  Fix Released
Status in python-urllib3 package in Ubuntu:
  Invalid
Status in python-urllib3 source package in Xenial:
  Invalid

Bug description:
  [Impact]
  Bug 1771988 introduced a fix to support IP based SAN's in certificates; however the required new dependency (python-ipaddress) was not added to the Recommends of the package which was an oversight of the original SRU.  This really only impacts on trusty deployments as on xenial python-ipaddress is installed indirectly via another dependency.

  [Test Case]
  apt install python-urllib3
  python-ipaddress  is not installed, certs with IP based SAN's won't verify correctly.

  [Regression Potential]
  Minimal - extra package installed on upgrades or install of urllib3

  [Original Bug Report]
  E.g. radosgw charm fails, when self-signed SSL certificate has IP address only (not hostname based).

  2019-02-06 13:05:46 DEBUG identity-service-relation-changed Traceback (most recent call last):
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/identity-service-relation-changed", line 400, in <module>
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     hooks.execute(sys.argv)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/charmhelpers/core/hookenv.py", line 800, in execute
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     self._hooks[hook_name]()
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/charmhelpers/contrib/openstack/utils.py", line 1891, in wrapped_f
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     restart_functions)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/charmhelpers/core/host.py", line 730, in restart_on_change_helper
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     r = lambda_f()
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/charmhelpers/contrib/openstack/utils.py", line 1890, in <lambda>
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     (lambda: f(*args, **kwargs)), restart_map, stopstart,
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/identity-service-relation-changed", line 245, in identity_changed
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     configure_https()
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/identity-service-relation-changed", line 389, in configure_https
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     setup_keystone_certs(CONFIGS)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/utils.py", line 356, in _inner2_defer_if_unavailable
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     return f(*args, **kwargs)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/utils.py", line 496, in setup_keystone_certs
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     get_ks_ca_cert(ksclient, auth_endpoint, certs_path)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/utils.py", line 356, in _inner2_defer_if_unavailable
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     return f(*args, **kwargs)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/utils.py", line 414, in get_ks_ca_cert
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     ca_cert = get_ks_cert(ksclient, auth_endpoint, 'ca')
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/utils.py", line 356, in _inner2_defer_if_unavailable
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     return f(*args, **kwargs)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/var/lib/juju/agents/unit-radosgw-int-0/charm/hooks/utils.py", line 384, in get_ks_cert
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     cert = ksclient.certificates.get_ca_certificate()
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/usr/lib/python2.7/dist-packages/keystoneclient/v2_0/certificates.py", line 29, in get_ca_certificate
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     resp, body = self._client.get('/certificates/ca', authenticated=False)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 173, in get
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     return self.request(url, 'GET', **kwargs)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 331, in request
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     resp = super(LegacyJsonAdapter, self).request(*args, **kwargs)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/usr/lib/python2.7/dist-packages/keystoneauth1/adapter.py", line 98, in request
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     return self.session.request(url, method, **kwargs)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/usr/lib/python2.7/dist-packages/positional/__init__.py", line 94, in inner
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     return func(*args, **kwargs)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 405, in request
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     resp = send(**kwargs)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed   File "/usr/lib/python2.7/dist-packages/keystoneclient/session.py", line 443, in _send_request
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed     raise exceptions.SSLError(msg)
  2019-02-06 13:05:46 DEBUG identity-service-relation-changed keystoneauth1.exceptions.connection.SSLError: SSL exception connecting to https://100.86.0.2:35357/v2.0/certificates/ca: hostname '100.86.0.2' doesn't
  match '100.86.0.2'

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-helpers/+bug/1814911/+subscriptions



More information about the Ubuntu-openstack-bugs mailing list