Public bug reported:
Gunicorn 20.1.0 uses the ssl.wrap_socket function, which was removed in
python 3.11. Because noble ships python3.12 this means that enabling SSL
causes an AttributeError on every connection, which gunicorn catches and
returns a 500 code.
The issue can be reproduced with a simple flask app.
This issue causes the octavia amphora-agent to fail to start when
building amphorae from the noble packages.
Reproduction
============
# Repro
1. Spawn a noble LXD container
2. Install
- python3-flask
- gunicorn
3. Create a minimal flask app
```python
# bug.py
import flask
app = flask.Flask(__name__)
@app.route("/")
def hello():
return "hello\n"
```
4. Run app with gunicorn
```bash
gunicorn -b 0.0.0.0:8080 bug:app --certfile ~/server.pem
```
5. Test with curl
```bash
curl http://localhost:8080
```
Expected Output
---------------
hello
---------------
6. Generate a self-signed certificate
```bash
openssl req -x509 -newkey rsa:2048 -nodes \
-keyout key.pem \
-out cert.pem \
-days 365 \
-subj "/CN=localhost"
```
7. Run app with gunicorn and SSL
```bash
gunicorn -b 0.0.0.0:8080 bug:app --certfile ~/server.pem --keyfile ~/key.pem
```
8. Test with curl
```bash
curl -k https://localhost:8080
```
Expected Output
---------------
hello
---------------
Actual Output
-------------
curl: (35) OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
-------------
In fact we're just serving a 500 error over regular http
If we
```bash
curl http://localhost:8080
```
Actual Output
-------------
```html
<html>
<head>
<title>Internal Server Error</title>
</head>
<body>
<h1><p>Internal Server Error</p></h1>
</body>
</html>
```
-------------
Fix
===
This issue was fixed in gunicorn 21, which updated for python 3.11
compatibility. I'm preparing an SRU cherrypicking the associated commit.
** Affects: gunicorn (Ubuntu)
Importance: Undecided
Assignee: Zachary Raines (raineszm)
Status: In Progress
** Affects: octavia (Ubuntu)
Importance: Undecided
Assignee: Zachary Raines (raineszm)
Status: In Progress
** Affects: gunicorn (Ubuntu Noble)
Importance: Undecided
Assignee: Zachary Raines (raineszm)
Status: In Progress
** Affects: octavia (Ubuntu Noble)
Importance: Undecided
Assignee: Zachary Raines (raineszm)
Status: In Progress
** Also affects: octavia (Ubuntu)
Importance: Undecided
Status: New
** Also affects: gunicorn (Ubuntu Noble)
Importance: Undecided
Status: New
** Also affects: octavia (Ubuntu Noble)
Importance: Undecided
Status: New
** Description changed:
Gunicorn 20.1.0 uses the ssl.wrap_socket function, which was removed in
python 3.11. Because noble ships python3.12 this means that enabling SSL
causes an AttributeError on every connection, which gunicorn catches and
returns a 500 code.
The issue can be reproduced with a simple flask app.
+
+ This issue causes the octavia amphora-agent to fail to start when
+ building amphorae from the noble packages.
Reproduction
============
# Repro
1. Spawn a noble LXD container
2. Install
- - python3-flask
- - gunicorn
+ - python3-flask
+ - gunicorn
3. Create a minimal flask app
```python
# bug.py
import flask
app = flask.Flask(__name__)
@app.route("/")
def hello():
- return "hello\n"
+ return "hello\n"
```
4. Run app with gunicorn
```bash
gunicorn -b 0.0.0.0:8080 bug:app --certfile ~/server.pem
```
5. Test with curl
```bash
curl http://localhost:8080
```
Expected Output
---------------
hello
---------------
6. Generate a self-signed certificate
```bash
openssl req -x509 -newkey rsa:2048 -nodes \
- -keyout key.pem \
- -out cert.pem \
- -days 365 \
- -subj "/CN=localhost"
+ -keyout key.pem \
+ -out cert.pem \
+ -days 365 \
+ -subj "/CN=localhost"
```
7. Run app with gunicorn and SSL
```bash
gunicorn -b 0.0.0.0:8080 bug:app --certfile ~/server.pem --keyfile ~/key.pem
```
8. Test with curl
```bash
curl -k https://localhost:8080
```
Expected Output
---------------
hello
---------------
Actual Output
-------------
curl: (35) OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
-------------
In fact we're just serving a 500 error over regular http
If we
```bash
curl http://localhost:8080
```
Actual Output
-------------
```html
<html>
- <head>
- <title>Internal Server Error</title>
- </head>
- <body>
- <h1><p>Internal Server Error</p></h1>
+ <head>
+ <title>Internal Server Error</title>
+ </head>
+ <body>
+ <h1><p>Internal Server Error</p></h1>
- </body>
+ </body>
</html>
```
-------------
Fix
===
This issue was fixed in gunicorn 21, which updated for python 3.11
compatibility. I'm preparing an SRU cherrypicking the associated commit.
** Changed in: gunicorn (Ubuntu Noble)
Assignee: (unassigned) => Zachary Raines (raineszm)
** Changed in: octavia (Ubuntu Noble)
Assignee: (unassigned) => Zachary Raines (raineszm)
** Changed in: octavia (Ubuntu)
Assignee: (unassigned) => Zachary Raines (raineszm)
** Changed in: gunicorn (Ubuntu)
Status: New => In Progress
** Changed in: gunicorn (Ubuntu Noble)
Status: New => In Progress
** Changed in: octavia (Ubuntu)
Status: New => In Progress
** Changed in: octavia (Ubuntu Noble)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2147117
Title:
Workers return 500 when SSL is enabled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gunicorn/+bug/2147117/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
