Fix the disable_ssl_certificate_validation option
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
python-httplib2 (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Heather Lemon | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* On Bionic, MAAS CLI fails to work with apis over https with self-signed
certificates due to broken disable_
with python 3.5 and later.
[Steps to Reproduce]
1. prepare a maas server (it doesn't have to be HA to reproduce)
2. prepare a set of certificate, key and ca-bundle
3. place a new conf in /etc/nginx/
restart nginx`
4. add the ca certificates to the host
sudo mkdir /usr/share/
sudo cp -v ca-bundle.crt /usr/share/
dpkg-
5. login with a new profile over https url
6. if the certificate is not trusted by the root store, it fails to login
7. adding the '--insecure' flag should disable the certificate check
[Where Problems Could Occur]
* Potential issues could happen if we disable certificate validation for
all TLS interactions, any connection https related.
* Should not break existing python3 versions.
* Should not affect previously working python2 versions.
[Other Info]
This change should fix the issue with python3, and you should be able
to connect with python2 as before.
python2 => python-
python3 => python3-
*both are build from the same source package
helpful urls:
https:/
https:/
https:/
[Test Case]
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key
# add certs
sudo cp -v localhost.crt /usr/share/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
[1]
# select yes with spacebar
# save and it will reload with 1 new certificate
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=
sudo maas apikey --username=
# setup nginx proxy
sudo apt update
sudo apt install nginx
touch /etc/nginx/
# contents of maas-https-default
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/
ssl_certificat
location / {
proxy_pass http://
include /etc/nginx/
}
location /MAAS/ws {
proxy_pass http://
proxy_set_header Connection "Upgrade";
}
}
sudo service nginx restart
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
----
#!/bin/sh
PROFILE=testadmin
API_KEY_
API_SERVER=
MAAS_URL=http://
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
----
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
----
#!/bin/sh
PROFILE=secureadmin
API_KEY_
API_SERVER=
MAAS_URL=https:/
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
----
# try to login
./maas-login.sh
cd /etc/nginx/
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/
ssl_certificat
location / {
proxy_pass http://
include /etc/nginx/
}
location /MAAS/ws {
proxy_pass http://
proxy_set_header Connection "Upgrade";
}
}
# create link
sudo ln -s /etc/nginx/
# look at errors
cat /var/log/
cat regiond.log | grep "Python-http"
*i didn't see any 404's though
2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/
2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/
2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/
[Other]
HTTPSConnection
( reboot nginx if you see this message )
[1] https:/
[VERIFICATION DONE]
#purge python-httlib2
dpkg -l python-httplib2 | cat
sudo apt-get remove python-httplib2
# maas version used
2.4.2
# enable proposed pocket via update manager
apt-get install python-httplib2
package version installed: 0.9.2+dfsg-
# Follow test case steps
I have followed the outline in the test steps.
Saw that the issue was resolved with the fix.
I was able to login to maas-cli via https
No errors were thrown in the logs when accessing https via maas-cli located here:
/var/log/
Changed in python-httplib2 (Ubuntu Bionic): | |
assignee: | nobody → Heather Lemon (hypothetical-lemon) |
Changed in python-httplib2 (Ubuntu Groovy): | |
assignee: | nobody → Heather Lemon (hypothetical-lemon) |
Changed in python-httplib2 (Ubuntu Hirsute): | |
assignee: | nobody → Heather Lemon (hypothetical-lemon) |
Changed in python-httplib2 (Ubuntu Focal): | |
assignee: | nobody → Heather Lemon (hypothetical-lemon) |
Changed in python-httplib2 (Ubuntu Bionic): | |
status: | Confirmed → In Progress |
description: | updated |
Changed in python-httplib2 (Ubuntu Bionic): | |
importance: | Undecided → Medium |
description: | updated |
description: | updated |
description: | updated |
tags: | added: sts sts-sponsor-ddstreet |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
no longer affects: | maas (Ubuntu) |
no longer affects: | maas (Ubuntu Bionic) |
no longer affects: | maas (Ubuntu Focal) |
no longer affects: | maas (Ubuntu Groovy) |
no longer affects: | maas (Ubuntu Hirsute) |
description: | updated |
Changed in python-httplib2 (Ubuntu Bionic): | |
status: | Incomplete → In Progress |
description: | updated |
tags: |
added: sts-sponsor-slashd removed: sts-sponsor-ddstreet |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in python-httplib2 (Ubuntu Focal): | |
assignee: | Heather Lemon (hypothetical-lemon) → nobody |
Changed in python-httplib2 (Ubuntu Groovy): | |
assignee: | Heather Lemon (hypothetical-lemon) → nobody |
Changed in python-httplib2 (Ubuntu Hirsute): | |
assignee: | Heather Lemon (hypothetical-lemon) → nobody |
tags: | added: verification-done-bionic |
description: | updated |
description: | updated |
tags: | removed: sts-sponsor-slashd |
tags: |
added: verification-done-bionic removed: verification-needed-bionic |
description: | updated |
description: | updated |
Backport fix https:/ /github. com/httplib2/ httplib2/ pull/15 into bionic