sts-sponsors team mailing list archive
-
sts-sponsors team
-
Mailing list archive
-
Message #02445
Re: [Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Did you also remove the 0002 from the d/p/ at the top of the changelog?
+ * d/p/0002-lp1906720-Make-disable_ssl_certificate_validation-work-
wit.patch
On Tue, Jan 19, 2021 at 3:31 PM Dan Streetman <1906720@xxxxxxxxxxxxxxxxxx>
wrote:
> uploaded to bionic, thanks @hypothetical-lemon
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1906720
>
> Title:
> Fix the disable_ssl_certificate_validation option
>
> Status in python-httplib2 package in Ubuntu:
> Fix Released
> Status in python-httplib2 source package in Bionic:
> In Progress
> Status in python-httplib2 source package in Focal:
> Fix Released
> Status in python-httplib2 source package in Groovy:
> Fix Released
> Status in python-httplib2 source package in Hirsute:
> Fix Released
>
> Bug description:
> [Environment]
>
> Bionic
> python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2
>
> [Description]
>
> maas cli fails to work with apis over https with self-signed
> certificates due to the lack
> of disable_ssl_certificate_validation option with python 3.5.
>
> [Distribution/Release, Package versions, Platform]
> cat /etc/lsb-release; dpkg -l | grep maas
> DISTRIB_ID=Ubuntu
> DISTRIB_RELEASE=18.04
> DISTRIB_CODENAME=bionic
> DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
> ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service"
> is a physical cloud and IPAM
> ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and
> command-line interface
> ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server
> common files
> ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server
> ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching
> Proxy
> ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack
> Controller for MAAS
> ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
> controller API service for MAAS
> ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all
> Region Controller for MAAS
> ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
> server Django web framework (Python 3)
> ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
> python API client (Python 3)
> ii python3-maas-provisioningserver
> 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning
> libraries (Python 3)
>
> [Steps to Reproduce]
>
> - prepare a maas server(installed by packages for me and the customer).
> it doesn't have to be HA to reproduce
> - prepare a set of certificate, key and ca-bundle
> - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl
> restart nginx`
> - add the ca certificates to the host
> sudo mkdir /usr/share/ca-certificates/extra
> sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
> dpkg-reconfigure ca-certificates
> - login with a new profile over https url
> - when not added the ca-bundle to the trusted ca cert store, it fails to
> login and '--insecure' flag also doesn't work[3]
>
> [Known Workarounds]
> None
>
> [Test]
> # Note even though this change only affects Python3
> # I tested it with Python2 with no issues and was able to connect.
> Also please make note of the 2 packages. One is for Python2 the other
> Python3
>
> Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
> Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
>
> helpful urls:
> https://maas.io/docs/deb/2.8/cli/installation
> https://maas.io/docs/deb/2.8/cli/configuration-journey
> https://maas.io/docs/deb/2.8/ui/configuration-journey
>
> # create bionic VM/lxc container
> lxc launch ubuntu:bionic lp1820083
>
> # get source code from repo
> pull-lp-source python-httplib2 bionic
>
> # install maas-cli
> apt-get install maas-cli
>
> # install maas server
> apt-get install maas
>
> # init maas
> sudo maas init
>
> # answer questions
>
> # generate self signed cert and key
> openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out
> localhost.crt -keyout localhost.key
>
> # add certs
> sudo cp -v test.crt /usr/share/ca-certificates/extra/
>
> # add new cert to list
> sudo dpkg-reconfigure ca-certificates
>
> # select yes with spacebar
> # save
>
> # create api key files
> touch api_key
> touch api-key-file
>
> # remove any packages with this
> # or this python3-httplib2
> apt-cache search python-httplib2
> apt-get remove python-httplib2
> apt-get remove python3-httplib2
>
> # create 2 admin users
> sudo maas createadmin testadmin
> sudo maas createadmin secureadmin
>
> # generate maas api keys
> sudo maas apikey --username=testadmin > api_key
> sudo maas apikey --username=secureadmin > api-key-file
>
> # make sure you can login to maas-cli without TLS
> # by running this script
> # this is for the non-tls user
> # this goes into a script called maas-login.sh
> touch maas-login.sh
> sudo chmod +rwx maas-login.sh
> ----
> #!/bin/sh
> PROFILE=testadmin
> API_KEY_FILE=/home/ubuntu/api_key
> API_SERVER=127.0.0.1:5240
>
> MAAS_URL=http://$API_SERVER/MAAS
>
> maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
> ----
> sudo chmod +rwx https-maas.sh
> # another script called https-maas.sh
> # for the tls user
> ----
> #!/bin/sh
> PROFILE=secureadmin
> API_KEY_FILE=/home/ubuntu/api-key-file
> API_SERVER=127.0.0.1
>
> MAAS_URL=https://$API_SERVER/MAAS
>
> maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
> ----
>
> # try to login
> ./maas-login.sh
>
> cd /etc/nginx/sites-enabled
> sudo touch maas-https-default
> #example nginx config for maas https
> server {
> listen 443 ssl http2;
>
> server_name _;
> ssl_certificate /home/ubuntu/localhost.crt;
> ssl_certificate_key /home/ubuntu/localhost.key;
>
> location / {
> proxy_pass http://localhost:5240;
> include /etc/nginx/proxy_params;
> }
>
> location /MAAS/ws {
> proxy_pass http://127.0.0.1:5240/MAAS/ws;
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "Upgrade";
> }
> }
>
> # create link
> sudo ln -s /etc/nginx/sites-available/maas-https-default
> /etc/nginx/sites-enabled
>
> # look at errors
> cat /var/log/maas/regiond.log
> cat regiond.log | grep "Python-http"
> *i didn't see any 404's though
>
> 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET
> /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent:
> Python-httplib2/0.9.2 (gzip))
> 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET
> /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent:
> Python-httplib2/0.9.2 (gzip))
> 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET
> /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent:
> Python-httplib2/0.9.2 (gzip))
>
> # install fixed package
> sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions
>
--
Heather Lemon
Associate Software Engineer (STS Engineering)
P: +1-719-415-8858
MM: hlemon | hypothetical-lemon
www.canonical.com | www.ubuntu.com
--
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1906720
Title:
Fix the disable_ssl_certificate_validation option
Status in python-httplib2 package in Ubuntu:
Fix Released
Status in python-httplib2 source package in Bionic:
In Progress
Status in python-httplib2 source package in Focal:
Fix Released
Status in python-httplib2 source package in Groovy:
Fix Released
Status in python-httplib2 source package in Hirsute:
Fix Released
Bug description:
[Environment]
Bionic
python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2
[Description]
maas cli fails to work with apis over https with self-signed certificates due to the lack
of disable_ssl_certificate_validation option with python 3.5.
[Distribution/Release, Package versions, Platform]
cat /etc/lsb-release; dpkg -l | grep maas
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM
ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface
ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files
ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server
ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy
ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS
ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS
ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS
ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3)
ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3)
ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3)
[Steps to Reproduce]
- prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce
- prepare a set of certificate, key and ca-bundle
- place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx`
- add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
- login with a new profile over https url
- when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3]
[Known Workarounds]
None
[Test]
# Note even though this change only affects Python3
# I tested it with Python2 with no issues and was able to connect.
Also please make note of the 2 packages. One is for Python2 the other Python3
Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1820083
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key
# add certs
sudo cp -v test.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
# select yes with spacebar
# save
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
----
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
----
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
----
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
----
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
# create link
sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled
# look at errors
cat /var/log/maas/regiond.log
cat regiond.log | grep "Python-http"
*i didn't see any 404's though
2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))
2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))
2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))
# install fixed package
sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions
References
