sts-sponsors team mailing list archive

Thread
Date
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option

To: sts-sponsors@xxxxxxxxxxxxxxxxxxx
From: Heather Lemon <1906720@xxxxxxxxxxxxxxxxxx>
Date: Sun, 24 Jan 2021 23:49:35 -0000
Reply-to: Bug 1906720 <1906720@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
maas cli https via maas-cli

** Attachment added: "Screenshot from 2021-01-24 16-36-07.png"
   https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5456435/+files/Screenshot%20from%202021-01-24%2016-36-07.png

-- 
You received this bug notification because you are a member of STS
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1906720

Title:
  Fix the disable_ssl_certificate_validation option

Status in python-httplib2 package in Ubuntu:
  Fix Released
Status in python-httplib2 source package in Bionic:
  In Progress
Status in python-httplib2 source package in Focal:
  Fix Released
Status in python-httplib2 source package in Groovy:
  Fix Released
Status in python-httplib2 source package in Hirsute:
  Fix Released

Bug description:
  [Impact]

   * On Bionic, MAAS CLI fails to work with apis over https with self-signed
     certificates due to broken disable_ssl_certificate_validation option
     with python 3.5 and later.

  [Steps to Reproduce]

   1. prepare a maas server (it doesn't have to be HA to reproduce)
   2. prepare a set of certificate, key and ca-bundle
   3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl
      restart nginx`
   4. add the ca certificates to the host
      sudo mkdir /usr/share/ca-certificates/extra
      sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
      dpkg-reconfigure ca-certificates
   5. login with a new profile over https url
   6. if the certificate is not trusted by the root store, it fails to login
   7. adding the '--insecure' flag should disable the certificate check

  [Where problems could occur]

   * Potential issues could happen if we disable certificate validation for
     all TLS interactions, any connection https related.

   * Should not break existing python3 versions.

   * Should not affect previously working python2 versions.

  [Other Info]

  This change should fix the issue with python3, and you should be able
  to connect with python2 as before.

  python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
  python3 =>  python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb

  helpful urls:
  https://maas.io/docs/deb/2.8/cli/installation
  https://maas.io/docs/deb/2.8/cli/configuration-journey
  https://maas.io/docs/deb/2.8/ui/configuration-journey

  # create bionic VM/lxc container
  lxc launch ubuntu:bionic lp1906720

  # get source code from repo
  pull-lp-source  python-httplib2 bionic

  # install maas-cli
  apt-get install maas-cli

  # install maas server
  apt-get install maas

  # init maas
  sudo maas init

  # answer questions

  # generate self signed cert and key
  openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key

  # add certs
  sudo cp -v test.crt /usr/share/ca-certificates/extra/

  # add new cert to list
  sudo dpkg-reconfigure ca-certificates

  # select yes with spacebar
  # save

  # create api key files
  touch api_key
  touch api-key-file

  # remove any packages with this
  # or this python3-httplib2
  apt-cache search python-httplib2
  apt-get remove python-httplib2
  apt-get remove python3-httplib2

  # create 2 admin users
  sudo maas createadmin testadmin
  sudo maas createadmin secureadmin

  # generate maas api keys
  sudo maas apikey --username=testadmin > api_key
  sudo maas apikey --username=secureadmin > api-key-file

  # make sure you can login to maas-cli without TLS
  # by running this script
  # this is for the non-tls user
  # this goes into a script called maas-login.sh
  touch maas-login.sh
  sudo chmod +rwx maas-login.sh
  ----
  #!/bin/sh
  PROFILE=testadmin
  API_KEY_FILE=/home/ubuntu/api_key
  API_SERVER=127.0.0.1:5240

  MAAS_URL=http://$API_SERVER/MAAS

  maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
  ----

  sudo chmod +rwx https-maas.sh
  # another script called https-maas.sh
  # for the tls user
  ----
  #!/bin/sh
  PROFILE=secureadmin
  API_KEY_FILE=/home/ubuntu/api-key-file
  API_SERVER=127.0.0.1

  MAAS_URL=https://$API_SERVER/MAAS

  maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
  ----

  # try to login
  ./maas-login.sh

  cd /etc/nginx/sites-enabled
  sudo touch maas-https-default
  #example nginx config for maas https
  server {
   listen 443 ssl http2;

   server_name _;
   ssl_certificate /home/ubuntu/localhost.crt;
   ssl_certificate_key /home/ubuntu/localhost.key;

   location / {
    proxy_pass http://localhost:5240;
    include /etc/nginx/proxy_params;
   }

   location /MAAS/ws {
    proxy_pass http://127.0.0.1:5240/MAAS/ws;
                  proxy_http_version 1.1;
                  proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
   }
  }

  # create link
  sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled

  # look at errors
  cat /var/log/maas/regiond.log
  cat regiond.log | grep "Python-http"
  *i didn't see any 404's though

  2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))
  2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))
  2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions