** Description changed:
- [Environment]
+ [Impact]
- Bionic
- python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2
- MAAS - 2.8.2
-
- [Description]
-
- maas cli fails to work with apis over https with self-signed certificates due
to the lack
- of disable_ssl_certificate_validation option with python 3.5.
-
- [Distribution/Release, Package versions, Platform]
- cat /etc/lsb-release; dpkg -l | grep maas
- DISTRIB_ID=Ubuntu
- DISTRIB_RELEASE=18.04
- DISTRIB_CODENAME=bionic
- DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
- ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a
physical cloud and IPAM
- ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and
command-line interface
- ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common
files
- ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server
- ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy
- ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack
Controller for MAAS
- ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
controller API service for MAAS
- ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
Controller for MAAS
- ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
server Django web framework (Python 3)
- ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
python API client (Python 3)
- ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1
all MAAS server provisioning libraries (Python 3)
+ * On Bionic, MAAS CLI fails to work with apis over https with self-signed
+ certificates due to broken disable_ssl_certificate_validation option
+ with python 3.5 and later.
[Steps to Reproduce]
- - prepare a maas server(installed by packages for me and the customer). it
doesn't have to be HA to reproduce
- - prepare a set of certificate, key and ca-bundle
- - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart
nginx`
- - add the ca certificates to the host
- sudo mkdir /usr/share/ca-certificates/extra
- sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
- dpkg-reconfigure ca-certificates
- - login with a new profile over https url
- - when not added the ca-bundle to the trusted ca cert store, it fails to
login and '--insecure' flag also doesn't work[3]
+ 1. prepare a maas server (it doesn't have to be HA to reproduce)
+ 2. prepare a set of certificate, key and ca-bundle
+ 3. place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl
+ restart nginx`
+ 4. add the ca certificates to the host
+ sudo mkdir /usr/share/ca-certificates/extra
+ sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
+ dpkg-reconfigure ca-certificates
+ 5. login with a new profile over https url
+ 6. if the certificate is not trusted by the root store, it fails to login
+ 7. adding the '--insecure' flag should disable the certificate check
- [Known Workarounds]
- None
+ [Where problems could occur]
- [Test]
- # Note even though this change only affects Python3
- # I tested it with Python2 with no issues and was able to connect.
- Also please make note of the 2 packages. One is for Python2 the other Python3
+ * Potential issues could happen if we disable certificate validation for
+ all TLS interactions, any connection https related.
- Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
- Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
+ * Should not break existing python3 versions.
+
+ * Should not affect previously working python2 versions.
+
+ [Other Info]
+
+ This change should fix the issue with python3, and you should be able
+ to connect with python2 as before.
+
+ python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
+ python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v test.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
# select yes with spacebar
# save
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
----
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
----
+
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
----
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
----
-
- # TODO: add setup for ngnix config
-
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
# create link
sudo ln -s /etc/nginx/sites-available/maas-https-default
/etc/nginx/sites-enabled
# look at errors
cat /var/log/maas/regiond.log
cat regiond.log | grep "Python-http"
*i didn't see any 404's though
2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET
/MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent:
Python-httplib2/0.9.2 (gzip))
2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/
HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))
2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/
HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))
-
- [Where Issues Could Occur]
-
- Potential issues could happen if we disable certificate validation for all
ssl interactions, any connection https related.
- This will not break exsiting python3 versions.
- This does not affect any python2x versions.
** Changed in: python-httplib2 (Ubuntu Bionic)
Status: Incomplete => In Progress
** Description changed:
[Impact]
- * On Bionic, MAAS CLI fails to work with apis over https with self-signed
- certificates due to broken disable_ssl_certificate_validation option
- with python 3.5 and later.
+ * On Bionic, MAAS CLI fails to work with apis over https with self-signed
+ certificates due to broken disable_ssl_certificate_validation option
+ with python 3.5 and later.
[Steps to Reproduce]
- 1. prepare a maas server (it doesn't have to be HA to reproduce)
- 2. prepare a set of certificate, key and ca-bundle
- 3. place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl
- restart nginx`
- 4. add the ca certificates to the host
- sudo mkdir /usr/share/ca-certificates/extra
- sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
- dpkg-reconfigure ca-certificates
- 5. login with a new profile over https url
- 6. if the certificate is not trusted by the root store, it fails to login
- 7. adding the '--insecure' flag should disable the certificate check
+ 1. prepare a maas server (it doesn't have to be HA to reproduce)
+ 2. prepare a set of certificate, key and ca-bundle
+ 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl
+ restart nginx`
+ 4. add the ca certificates to the host
+ sudo mkdir /usr/share/ca-certificates/extra
+ sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
+ dpkg-reconfigure ca-certificates
+ 5. login with a new profile over https url
+ 6. if the certificate is not trusted by the root store, it fails to login
+ 7. adding the '--insecure' flag should disable the certificate check
[Where problems could occur]
- * Potential issues could happen if we disable certificate validation for
- all TLS interactions, any connection https related.
+ * Potential issues could happen if we disable certificate validation for
+ all TLS interactions, any connection https related.
- * Should not break existing python3 versions.
+ * Should not break existing python3 versions.
- * Should not affect previously working python2 versions.
+ * Should not affect previously working python2 versions.
[Other Info]
This change should fix the issue with python3, and you should be able
to connect with python2 as before.
python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v test.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
# select yes with spacebar
# save
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
----
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
----
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
----
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
----
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
# create link
sudo ln -s /etc/nginx/sites-available/maas-https-default
/etc/nginx/sites-enabled
# look at errors
cat /var/log/maas/regiond.log
cat regiond.log | grep "Python-http"
*i didn't see any 404's though
2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET
/MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent:
Python-httplib2/0.9.2 (gzip))
2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/
HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))
2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/
HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1906720
Title:
Fix the disable_ssl_certificate_validation option
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
