** Description changed:
- Gunicorn 20.1.0 uses the ssl.wrap_socket function, which was removed in
- python 3.11. Because noble ships python3.12 this means that enabling SSL
- causes an AttributeError on every connection, which gunicorn catches and
- returns a 500 code.
+ [ Impact ]
- The issue can be reproduced with a simple flask app.
+ * Gunicorn 20.1.0 uses the ssl.wrap_socket function, which was removed
+ in python 3.11. Because noble ships python3.12 this means that enabling
+ SSL causes an AttributeError on every connection, which gunicorn catches
+ and returns a 500 code.
- This issue causes the octavia amphora-agent to fail to start when
- building amphorae from the noble packages.
+ * This issue causes the octavia amphora-agent to fail to start when building
amphorae from the noble packages.
+ - As a consequence it's currently not possible to build an octavia
amphorae from noble packages.
- Reproduction
- ============
-
- # Repro
+ [ Test Plan ]
1. Spawn a noble LXD container
+
2. Install
- - python3-flask
- - gunicorn
+ - python3-flask
+ - gunicorn
+
3. Create a minimal flask app
- ```python
- # bug.py
+ bug.py
+ ---------
import flask
app = flask.Flask(__name__)
@app.route("/")
def hello():
- return "hello\n"
- ```
+ return "hello\n"
+ -----------
4. Run app with gunicorn
- ```bash
- gunicorn -b 0.0.0.0:8080 bug:app --certfile ~/server.pem
- ```
+ gunicorn -b 0.0.0.0:8080 bug:app
5. Test with curl
- ```bash
curl http://localhost:8080
- ```
Expected Output
---------------
-
hello
---------------
6. Generate a self-signed certificate
- ```bash
openssl req -x509 -newkey rsa:2048 -nodes \
- -keyout key.pem \
- -out cert.pem \
- -days 365 \
- -subj "/CN=localhost"
- ```
+ -keyout key.pem \
+ -out cert.pem \
+ -days 365 \
+ -subj "/CN=localhost"
7. Run app with gunicorn and SSL
- ```bash
- gunicorn -b 0.0.0.0:8080 bug:app --certfile ~/server.pem --keyfile ~/key.pem
- ```
+ gunicorn -b 0.0.0.0:8080 bug:app --certfile ~/server.pem --keyfile
+ ~/key.pem
- 8. Test with curl
-
- ```bash
- curl -k https://localhost:8080
- ```
+ 8. Test with curl: `curl -k https://localhost:8080`
Expected Output
---------------
-
hello
---------------
Actual Output
-------------
-
curl: (35) OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
-------------
In fact we're just serving a 500 error over regular http
- If we
-
- ```bash
- curl http://localhost:8080
- ```
+ If we `curl http://localhost:8080`
Actual Output
-------------
+ <html>
+ <head>
+ <title>Internal Server Error</title>
+ </head>
+ <body>
+ <h1><p>Internal Server Error</p></h1>
- ```html
- <html>
- <head>
- <title>Internal Server Error</title>
- </head>
- <body>
- <h1><p>Internal Server Error</p></h1>
-
- </body>
+ </body>
</html>
- ```
-------------
- Fix
- ===
+ [ Where problems could occur ]
- This issue was fixed in gunicorn 21, which updated for python 3.11
- compatibility. I'm preparing an SRU cherrypicking the associated commit.
+ * This introduces a new setting which could require users to adjust
+ their settings for SSL.
+
+ * This change only touches the code paths where SSL is enabled, which
+ already doesn't work.
+
+
+ [ Other Info ]
+
+ * This issue was fixed in gunicorn 21, which updated for python 3.11
+ compatibility.
** Summary changed:
- Workers return 500 when SSL is enabled
+ [SRU] Workers return 500 when SSL is enabled
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2147117
Title:
[SRU] Workers return 500 when SSL is enabled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gunicorn/+bug/2147117/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
