Canonical Livepatch Client

canonical-livepatch config ca-certs is undocumented

Bug #1890601 reported by Michael Fosgerau
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Canonical Livepatch Client
Confirmed
Wishlist
Unassigned

Bug Description

(Note: The requested output from the various commands according to your bug reporting guidelines are attached as a txt file).

I'm having trouble enabling / running canonical-livepatch through a corporate proxy with it's own root trusted CA cert.

I've managed to setup everything else so traffic goes through it, including snap, apt, browser(s) and so forth.

All requests to enable livepatch always result in:

$ sudo -E canonical-livepatch enable MY_SECRET_TOKEN
2020/08/06 14:42:59 error executing enable: cannot enable machine: cannot send request: Post https://livepatch.canonical.com/api/machine-tokens: x509: certificate signed by unknown authority

I've tried in a number of ways to get the CA cert registered with livepatch, sofar without any luck. For example:

$ sudo -E canonical-livepatch config ca-certs="$(cat ~/workspace/setup-ubuntu/CertEmulationCA.crt)"
invalid config "ca-certs=-----BEGIN CERTIFICATE-----\nscrambled-content-goes-on-and-on-and-on\n-----END CERTIFICATE-----" ignored (bad name)

Also, I've tried with a direct path to the cert like:

$ sudo canonical-livepatch config ca-certs="~/workspace/setup-ubuntu/CertEmulationCA.crt"
$ sudo -E canonical-livepatch enable MY_SECRET_TOKEN
2020/08/06 14:42:59 error executing enable: cannot enable machine: cannot send request: Post https://livepatch.canonical.com/api/machine-tokens: x509: certificate signed by unknown authority

I've successfully set the proxy using:

sudo canonical-livepatch config http-proxy="PROXYHOSTNAME:PORT" https-proxy="PROXYHOSTNAME:PORT"

Please document how the command + arguments are intended to work and to be used, as this (current doc) does not help a lot:

-------------------------

$ canonical-livepatch config --help
NAME:
   canonical-livepatch config - configure livepatching on the machine

USAGE:
   canonical-livepatch config [arguments...]

-------------------------

$ canonical-livepatch config ca-certs --help
NAME:
   canonical-livepatch config - configure livepatching on the machine

USAGE:
   canonical-livepatch config [arguments...]

-------------------------

Thanks in advance! =)

Best regards
Michael F.

See original description
Revision history for this message
Michael Fosgerau (mfosgerau) wrote :
Michael Fosgerau (mfosgerau)
information type: Proprietary → Public
Michael Fosgerau (mfosgerau)
description: updated
Revision history for this message
Casey Marshall (cmars) wrote :

Hi,
Sorry you're having trouble. We do not believe there is a problem with the ca-certs configuration option. This option is generally not something we advertise for non-commercial use and I cannot provide support here as Launchpad is for reporting actual bugs in the client itself.

If you have purchased Ubuntu Advantage (https://ubuntu.com/advantage), you may open a support case at https://support.canonical.com.

Best regards,
Casey

Changed in canonical-livepatch-client:
status: New → Invalid
Revision history for this message
Michael Fosgerau (mfosgerau) wrote :

Hi Casey

I'm reporting that the documentation is lacking information. Not that it does not work.

Your user-base pro or non-pro will be more or less unable to figure out how to configure ca-certs which is clearly intended use. Otherwise, hide it, and make livepatch use the system settings instead of it's own internal configuration.

Thanks for re-considering it.

Best regards
Michael

Casey Marshall (cmars)
Changed in canonical-livepatch-client:
status: Invalid → Confirmed
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.