juju debug-log is broken

Bug #1388688 reported by Ian Booth
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju-core
Fix Released
Critical
Wayne Witzel III

Bug Description

A recent commit 7fc118f015d8480dfad7831788e4b8c0432205e8 made this change in rsyslog/worker.go:

 return &tls.Config{
  RootCAs: cert,
+ ServerName: "juju-rsyslog",
 }, nil

Trouble is, it breaks rsyslog on worker nodes, and hence debug-log is broken, because rsyslog cannot connect back to the state server:
eg, on an EC2 deployment

2014-11-03 02:56:34 ERROR juju.worker runner.go:219 exited "rsyslog": x509: certificate is valid for ip-10-46-174-79.ec2.internal, not juju-rsyslog

Removing the ServerName fixed everything up again. But the change says that:

// composeTLS generates a new client certificate for connecting to the rsyslog server.
// We explicitly set the ServerName field, this ensures that even if we are connecting
// via an IP address and are using an old certificate (pre 1.20.9), we can still
// successfully connect.

So it seems by removing the ServerName, rsyslog to old state servers will break? Either way, it's broken and needs to be fixed.

Revision history for this message
Wayne Witzel III (wwitzel3) wrote :

Looking in to this now. I think it is just a matter of explicitly generating the server cert with an explicit wildcard cert.

Changed in juju-core:
assignee: nobody → Wayne Witzel III (wwitzel3)
Ian Booth (wallyworld)
Changed in juju-core:
status: Triaged → Fix Committed
Curtis Hovey (sinzui)
Changed in juju-core:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.