← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #73383

[Bug 1774654] Re: ssl_setup fails due to extra character in days value

  Thread PreviousDate PreviousThread Next 
Marking this as Won't Fix since the affected release are EOL'd. I
appreciate you documenting the behavior though!

As noted, would the workaround be to upgrade openssl to a version that
works with that argument?

** Changed in: keystone
       Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1774654

Title:
  ssl_setup fails due to extra character in days value

Status in OpenStack Identity (keystone):
  Won't Fix

Bug description:
  When running keystone-manage ssl_setup, the openssl command generated
  has an extra "d" character after the days value that causes openssl
  command to fail with an error.

  ex:keystone-manage ssl_setup --keystone-user keystone --keystone-group keystone --rebuild
  2018-06-01 10:17:52.833 69002 WARNING keystone.cmd.cli [-] keystone-manage ssl_setup is not recommended for production use.
  2018-06-01 10:17:52.841 69002 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/cakey.pem 2048
  2018-06-01 10:17:53.020 69002 INFO keystone.common.openssl [-] Running command - openssl req -new -x509 -extensions v3_ca -key /etc/keystone/ssl/private/cakey.pem -out /etc/keystone/ssl/certs/ca.pem -days 3650 -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Virginia/L=Ashburn/O=KeeperTech/CN=www.keepertech.com
  2018-06-01 10:17:53.029 69002 INFO keystone.common.openssl [-] Running command - openssl genrsa -out /etc/keystone/ssl/private/keystonekey.pem 2048
  2018-06-01 10:17:53.132 69002 INFO keystone.common.openssl [-] Running command - openssl req -key /etc/keystone/ssl/private/keystonekey.pem -new -out /etc/keystone/ssl/certs/req.pem -config /etc/keystone/ssl/certs/openssl.conf -subj /C=US/ST=Virginia/L=Ashburn/O=KeeperTech/CN=www.keepertech.com
  2018-06-01 10:17:53.141 69002 INFO keystone.common.openssl [-] Running command - openssl ca -batch -out /etc/keystone/ssl/certs/keystone.pem -config /etc/keystone/ssl/certs/openssl.conf -days 3650d -cert /etc/keystone/ssl/certs/ca.pem -keyfile /etc/keystone/ssl/private/cakey.pem -infiles /etc/keystone/ssl/certs/req.pem
  2018-06-01 10:17:53.146 69002 ERROR keystone.common.openssl [-] Command ['openssl', 'ca', '-batch', '-out', '/etc/keystone/ssl/certs/keystone.pem', '-config', '/etc/keystone/ssl/certs/openssl.conf', '-days', '3650d', '-cert', '/etc/keystone/ssl/certs/ca.pem', '-keyfile', '/etc/keystone/ssl/private/cakey.pem', '-infiles', '/etc/keystone/ssl/certs/req.pem'] exited with 1 - ca: Can't parse "3650d" as a number
  ca: Non-positive number "3650d" for -days
  ca: Use -help for summary.

  2018-06-01 10:17:53.148 69002 CRITICAL keystone [-] CalledProcessError: Command '['openssl', 'ca', '-batch', '-out', '/etc/keystone/ssl/certs/keystone.pem', '-config', '/etc/keystone/ssl/certs/openssl.conf', '-days', '3650d', '-cert', '/etc/keystone/ssl/certs/ca.pem', '-keyfile', '/etc/keystone/ssl/private/cakey.pem', '-infiles', '/etc/keystone/ssl/certs/req.pem']' returned non-zero exit status 1
  2018-06-01 10:17:53.148 69002 ERROR keystone Traceback (most recent call last):
  2018-06-01 10:17:53.148 69002 ERROR keystone   File "/usr/bin/keystone-manage", line 10, in <module>
  2018-06-01 10:17:53.148 69002 ERROR keystone     sys.exit(main())
  2018-06-01 10:17:53.148 69002 ERROR keystone   File "/usr/lib/python2.7/dist-packages/keystone/cmd/manage.py", line 47, in main
  2018-06-01 10:17:53.148 69002 ERROR keystone     cli.main(argv=sys.argv, config_files=config_files)
  2018-06-01 10:17:53.148 69002 ERROR keystone   File "/usr/lib/python2.7/dist-packages/keystone/cmd/cli.py", line 1095, in main
  2018-06-01 10:17:53.148 69002 ERROR keystone     CONF.command.cmd_class.main()
  2018-06-01 10:17:53.148 69002 ERROR keystone   File "/usr/lib/python2.7/dist-packages/keystone/cmd/cli.py", line 514, in main
  2018-06-01 10:17:53.148 69002 ERROR keystone     conf_ssl.run()
  2018-06-01 10:17:53.148 69002 ERROR keystone   File "/usr/lib/python2.7/dist-packages/keystone/common/openssl.py", line 239, in run
  2018-06-01 10:17:53.148 69002 ERROR keystone     self.build_signing_cert()
  2018-06-01 10:17:53.148 69002 ERROR keystone   File "/usr/lib/python2.7/dist-packages/keystone/common/openssl.py", line 221, in build_signing_cert
  2018-06-01 10:17:53.148 69002 ERROR keystone     '-infiles', '%(request_file)s'])
  2018-06-01 10:17:53.148 69002 ERROR keystone   File "/usr/lib/python2.7/dist-packages/keystone/common/openssl.py", line 95, in exec_command
  2018-06-01 10:17:53.148 69002 ERROR keystone     raise e
  2018-06-01 10:17:53.148 69002 ERROR keystone CalledProcessError: Command '['openssl', 'ca', '-batch', '-out', '/etc/keystone/ssl/certs/keystone.pem', '-config', '/etc/keystone/ssl/certs/openssl.conf', '-days', '3650d', '-cert', '/etc/keystone/ssl/certs/ca.pem', '-keyfile', '/etc/keystone/ssl/private/cakey.pem', '-infiles', '/etc/keystone/ssl/certs/req.pem']' returned non-zero exit status 1
  2018-06-01 10:17:53.148 69002 ERROR keystone 

  
  The offending code is in keystone/command/openssl.py in the build_signing_cert function, it adds and extra "d" to the valid_days format:

        '-days', '%(valid_days)dd',

  
  I realize that openssl is deprecated, but perhaps this fix could be made available for distros that still use the 9.3 versions in their stable releases (Ubuntu 16.04, for example).

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1774654/+subscriptions

References

  Thread PreviousDate PreviousThread Next