Juniper Openstack

SNI ssl support in docker

Bug #1695770 reported by Senthilnathan Murugappan on 2017-06-04

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Juniper Openstack	Status tracked in Trunk
R4.0	Fix Committed	Undecided	Ignatious Johnson Christopher	Juniper Openstack r4.0.1.0 "r4.0.1.0"
Trunk	Fix Committed	Undecided	Ignatious Johnson Christopher	Juniper Openstack r4.1.0.0-fcs "r4.1"

Bug Description

SNI check with the current version of urllib3 fails to match IPAddress.

Error message:
SSLError: SSL exception connecting to https://10.84.21.1:35357: hostname ‘10.84.21.1’ doesn’t match either of ‘b1s1’, ‘b1s1.contrail.juniper.net’

Cert Info:
root@b1s1:/opt/contrail/server_manager/ansible/playbooks/image1/playbooks# openssl x509 -text -noout -in /etc/contrailctl/ssl/server.pem | grep “CN\|DNS”
       Issuer: CN=b1s1.contrail.juniper.net
       Subject: CN=b1s1
               DNS:b1s1, DNS:b1s1.contrail.juniper.net, IP Address:10.84.21.1

Curl will work but requests/urllib3 based http requests would fail with the above SSLError.

WorkAround:
pip install urllib3
pip install backports.ssl-match-hostname
update /usr/local/lib/python2.7/dist-packages/easy-install.pth inside the docker by adding /usr/local/lib/python2.7/dist-packages before /usr/lib/python2.7/dist-packages

Tags:

Senthilnathan Murugappan (msenthil) on 2017-06-04

tags:

added: packaging releasenote

Revision history for this message

Jeba Paulaiyan (jebap) wrote on 2017-06-05:

Release-notes:

SSL communication to API-server provisioned using R4.0.0.0 Server-Manager will not work.

Soumil Kulkarni (soumilk) on 2017-06-05

information type:

Proprietary → Public

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-06-30: [Review update] master

Review in progress for https://review.opencontrail.org/33337
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-06-30: [Review update] R4.0

Review in progress for https://review.opencontrail.org/33338
Submitter: Ignatious Johnson Christopher (<email address hidden>)

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-14: A change has been merged

Reviewed: https://review.opencontrail.org/33337
Committed: http://github.com/Juniper/contrail-ansible-internal/commit/27b09ecc6007351c4c145f06acfd4e1ecf3a1a81
Submitter: Zuul (<email address hidden>)
Branch: master

commit 27b09ecc6007351c4c145f06acfd4e1ecf3a1a81
Author: Ignatious Johnson Christopher <email address hidden>
Date: Thu Jun 29 23:44:50 2017 -0700

Adding missing dependecies for SNI ssl support

in controller container.

Change-Id: Ic00241daf00e378897876ad4bffe1459ccd9ef80
Closes-Bug: 1695770

Revision history for this message

OpenContrail Admin (ci-admin-f) wrote on 2017-07-14:

Reviewed: https://review.opencontrail.org/33338
Committed: http://github.com/Juniper/contrail-ansible-internal/commit/287fb9b462c88d1831a1f86219278694b3d95a3d
Submitter: Zuul (<email address hidden>)
Branch: R4.0

commit 287fb9b462c88d1831a1f86219278694b3d95a3d
Author: Ignatious Johnson Christopher <email address hidden>
Date: Thu Jun 29 23:44:50 2017 -0700

Adding missing dependecies for SNI ssl support

in controller container.

Change-Id: Ic00241daf00e378897876ad4bffe1459ccd9ef80
Closes-Bug: 1695770

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.