MAAS

TLS doesn't work for inter-controller communication

Bug #1777712 reported by Patrick Desnoyers on 2018-06-19

This bug affects 4 people

Affects		Status	Importance	Assigned to	Milestone
	MAAS	Expired	Undecided	Unassigned

Bug Description

Version : MAAS 2.4

In rackd.conf, you can't use https:// because the name will be converted to https://[::::ffff:ipv4-IP]/MAAS/rpc and fail cert check.

See /usr/lib/python3/dist-packages/provisioningserver/rpc/clusterservice.py
line 1050 and following.

Resulting in :

Jun 18 17:46:15 inf-p-mas001 Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: Jun 18 17:46:15 inf-p-mas001 sh[558]: sh[558]: 2018-06-18 17:46:15 provisioningserver.rpc.clusterservice: [critical] Failed to contact region. (While requesting RPC info at b'https://[::ffff:10.10.128.1]/MAAS/rpc/').
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/provisioningserver/rpc/clusterservice.py", line 1023, in _tryUpdate
d = maybeDeferred(self._doUpdate).addErrback(
File "/usr/lib/python3/dist-packages/twisted/internet/defer.py", line 150, in maybeDeferred
result = f(*args, **kw)
File "/usr/lib/python3/dist-packages/twisted/internet/defer.py", line 1532, in unwindGenerator
return _inlineCallbacks(None, gen, Deferred())
File "/usr/lib/python3/dist-packages/twisted/internet/defer.py", line 1386, in _inlineCallbacks
result = g.send(result)
--- <exception caught here> ---
File "/usr/lib/python3/dist-packages/provisioningserver/rpc/clusterservice.py", line 1060, in _doUpdate
info = yield self._fetch_rpc_info(info_url)
File "/usr/lib/python3/dist-packages/provisioningserver/rpc/clusterservice.py", line 1124, in _fetch_rpc_info
Headers({b'User-Agent': [fullyQualifiedName(cls)]}))
File "/usr/lib/python3/dist-packages/twisted/web/client.py", line 1649, in request
endpoint = self._getEndpoint(parsedURI)
File "/usr/lib/python3/dist-packages/twisted/web/client.py", line 1633, in _getEndpoint
return self._endpointFactory.endpointForURI(uri)
File "/usr/lib/python3/dist-packages/twisted/web/client.py", line 1510, in endpointForURI
uri.port)
File "/usr/lib/python3/dist-packages/twisted/web/client.py", line 944, in creatorForNetloc
trustRoot=self._trustRoot)
File "/usr/lib/python3/dist-packages/twisted/internet/_sslverify.py", line 1289, in optionsForClientTLS
return ClientTLSOptions(hostname, certificateOptions.getContext())
File "/usr/lib/python3/dist-packages/twisted/internet/_sslverify.py", line 1152, in __init__
self._hostnameBytes = _idnaBytes(hostname)
File "/usr/lib/python3/dist-packages/twisted/internet/_idna.py", line 30, in _idnaBytes
return idna.encode(text)
File "/usr/lib/python3/dist-packages/idna/core.py", line 355, in encode
result.append(alabel(label))
File "/usr/lib/python3/dist-packages/idna/core.py", line 265, in alabel
raise IDNAError('The label {0} is not a valid A-label'.format(label))
idna.core.IDNAError: The label b'::ffff:10' is not a valid A-label

Tags:

Andres Rodriguez (andreserl) on 2018-06-19

summary:	- SSL doesn't work for inter-controller communication + [enhacement] SSL doesn't work for inter-controller communication
Changed in maas:
status:	New → Triaged
milestone:	none → 2.5.0
tags:	added: enhancement
tags:	added: wishlist

Andres Rodriguez (andreserl) on 2018-10-16

Changed in maas:
milestone:	2.5.0 → next

Revision history for this message

Andrew Forgue (andrewjf) wrote on 2019-04-27: Re: [enhacement] SSL doesn't work for inter-controller communication

Is there a workaround for this?

Björn Tillenius (bjornt) on 2021-08-24

Changed in maas:
milestone:	next → none

Revision history for this message

Adam Collard (adam-collard) wrote on 2022-05-26:

Assuming you have configured the controllers to trust the certificates in use, please can you try this again and let us know if it's still an issue for you on a recent MAAS, providing clear steps to reproduce the problem?

summary:	- [enhacement] SSL doesn't work for inter-controller communication + TLS doesn't work for inter-controller communication
Changed in maas:
status:	Triaged → Incomplete

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-07-26:

[Expired for MAAS because there has been no activity for 60 days.]

Changed in maas:
status:	Incomplete → Expired

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.