Uploading package to server with self-signed certificate on https fails despite adding cert to trust-store
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
dput (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
On Ubuntu 22.04 with dput version 1.1.0ubuntu2.1, and python3 3.10.x, customers using a self-signed SSL for https are getting the following:
File "/usr/bin/dput", line 37, in <module>
sys.
File "/usr/share/
upload_
File "/usr/share/
return http.upload(
File "/usr/share/
conn.
File "/usr/lib/
self.
File "/usr/lib/
self.send(msg)
File "/usr/lib/
self.connect()
File "/usr/lib/
self.sock = self._context.
File "/usr/lib/
return self.sslsocket_
File "/usr/lib/
self.
File "/usr/lib/
self.
ssl.SSLCertVeri
This seems to be an issue in how the SSL for the https connection is validated. Even after adding the self-signed certificate to the trust store with update-
The immediate solution has been to modify the main dput file to import the ssl library, and tell it to not validate the certificate for the connection:
import ssl
ssl._create_
This is discussed further at the following link:
This seems like a change in python behavior given this discussion:
https:/
I am not sure what the best path forward is, I would think that ideally there may be an environment variable to tell python to read the certificate from the standard trust-store /etc/ssl/
I do not see this happening on 20.04 with python 3.8.x and dput 1.0.3ubuntu1.1, so this seems to be a relatively recent change in behavior.
Update: after a lot of discussion with Mitch Burton on the Landscape team, he was able to demonstrate this working with a self-signed certificate. We think that this may actually not be strictly an issue with the self-signed SSL, but rather that the name in the cert is not an FQDN, and instead is just the bare hostname.
Upon further testing myself, I swapped the hostname on my test instance from landscape- 2310-jammy to landscape- 2310-jammy. lxd just as a test. I then updated my /etc/hosts file, the certificates configured in Apache, and imported the newly generated cert into ca-certificates. After this dput worked just fine.
dput lds:ubuntu/ jammy/upload hello.changes
D: Splitting host argument out of lds:ubuntu/ jammy/upload. changes: Valid signature from 5E1E964200F3EA3D 2310-jammy. lxd): 10-2ubuntu4+ esm1_amd64. deb: done.
D: Setting host argument.
Checking signature on .changes
gpg: /root/hello.
Uploading to lds (via https to landscape-
Uploading hello_2.
Uploading hello.changes: done.
Successfully uploaded packages.
This seems to confirm that the issue is not necessarily with dput directly, but in how python's urllib is checking the domain/cert on the connection. This may be something that can be worked around in dput to allow for a bare hostname that is not an FQDN, but either way figured it would be relevant to add this information.