Bazaar

Certificate error on launchpad xmlrpc server with HTTPS_PROXY set

Bug #944696 reported by Soren Hansen
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Bazaar
Fix Released
Critical
Martin Packman
Bazaar 2.6b1
2.5
Fix Released
Critical
Martin Packman
Bazaar 2.5.1
bzr (Ubuntu)
Fix Released
Medium
Jelmer Vernooij
Precise
Fix Released
Medium
Jelmer Vernooij

Bug Description

When using an https proxy (by setting $https_proxy), I get an error:

soren@jenkins:~$ bzr branch lp:reincarnate
bzr: ERROR: Certificate error: hostname 'proxy-sjc-1.cisco.com' doesn't match either of '*.launchpad.net', 'launchpad.net'
soren@jenkins:~$ echo $https_proxy
http://proxy-sjc-1.cisco.com:80/

So, apparently it's comparing the hostname given in the cert against the hostname of the proxy. That will never work :)

FWIW, w3m and wget are perfectly happy talking to launchpad through this proxy. No complaints over anything like this.

Related branches

lp:~gz/bzr/https_proxy_host_matching_944696
Jelmer Vernooij (community): Approve
Diff: 41 lines (+10/-3)
2 files modified
bzrlib/transport/http/_urllib2_wrappers.py (+6/-3)
doc/en/release-notes/bzr-2.5.txt (+4/-0)
lp:~jelmer/ubuntu/precise/bzr/2.5.1-sru
lp:ubuntu/quantal/bzr
lp:~bzr/ubuntu/natty/bzr/bzr-ppa
lp:~bzr/ubuntu/maverick/bzr/bzr-ppa
lp:~bzr/ubuntu/lucid/bzr/bzr-ppa
Revision history for this message
Soren Hansen (soren) wrote :
Download full text (3.8 KiB)

I replaced the nice raise CertificateError with just a 'raise "blah"' to get a backtrace. This is what I got:

bzr: ERROR: exceptions.TypeError: exceptions must be old-style classes or derived from BaseException, not str

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/bzrlib/commands.py", line 920, in exception_to_return_code
    return the_callable(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/bzrlib/commands.py", line 1131, in run_bzr
    ret = run(*run_argv)
  File "/usr/lib/python2.7/dist-packages/bzrlib/commands.py", line 673, in run_argv_aliases
    return self.run(**all_cmd_args)
  File "/usr/lib/python2.7/dist-packages/bzrlib/commands.py", line 695, in run
    return self._operation.run_simple(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/bzrlib/cleanup.py", line 136, in run_simple
    self.cleanups, self.func, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/bzrlib/cleanup.py", line 166, in _do_with_cleanups
    result = func(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/bzrlib/builtins.py", line 1420, in run
    from_location)
  File "/usr/lib/python2.7/dist-packages/bzrlib/controldir.py", line 778, in open_tree_or_branch
    controldir = klass.open(location)
  File "/usr/lib/python2.7/dist-packages/bzrlib/controldir.py", line 685, in open
    t = _mod_transport.get_transport(base, possible_transports)
  File "/usr/lib/python2.7/dist-packages/bzrlib/transport/__init__.py", line 1679, in get_transport
    return get_transport_from_url(location_to_url(base), possible_transports)
  File "/usr/lib/python2.7/dist-packages/bzrlib/transport/__init__.py", line 1601, in location_to_url
    location = directories.dereference(location)
  File "/usr/lib/python2.7/dist-packages/bzrlib/directory_service.py", line 65, in dereference
    return service().look_up(name, url)
  File "/usr/lib/python2.7/dist-packages/bzrlib/plugins/launchpad/lp_directory.py", line 68, in look_up
    return self._resolve(url)
  File "/usr/lib/python2.7/dist-packages/bzrlib/plugins/launchpad/lp_directory.py", line 173, in _resolve
    result = self._resolve_via_xmlrpc(path, url, _request_factory)
  File "/usr/lib/python2.7/dist-packages/bzrlib/plugins/launchpad/lp_directory.py", line 100, in _resolve_via_xmlrpc
    result = resolve.submit(service)
  File "/usr/lib/python2.7/dist-packages/bzrlib/plugins/launchpad/lp_registration.py", line 271, in submit
    self._authenticated)
  File "/usr/lib/python2.7/dist-packages/bzrlib/plugins/launchpad/lp_registration.py", line 194, in send_request
    result = method(*method_params)
  File "/usr/lib/python2.7/xmlrpclib.py", line 1224, in __call__
    return self.__send(self.__name, args)
  File "/usr/lib/python2.7/xmlrpclib.py", line 1578, in __request
    verbose=self.__verbose
  File "/usr/lib/python2.7/dist-packages/bzrlib/plugins/launchpad/lp_registration.py", line 72, in request
    response = self._opener.open(request)
  File "/usr/lib/python2.7/urllib2.py", line 400, in open
    response = self._open(req, data)
  File "/usr/lib/python2.7/urllib2.py", line 418, in _open
    '_open', req)
  File "/usr/lib/python2.7/urllib2.py", line 378, in _call_chain
...

Read more...

Martin Packman (gz)
Changed in bzr:
importance: Undecided → High
status: New → Confirmed
tags: added: https
summary: - When using a proxy to talk https, cert checking validates against proxy
- host name
+ Cerfiticate error on launchpad xmlrpc server with HTTPS_PROXY set
Revision history for this message
Jelmer Vernooij (jelmer) wrote : Re: Cerfiticate error on launchpad xmlrpc server with HTTPS_PROXY set

As a workaround you should be able to install pycurl.

This is a regression from our work to always verify certificates. I think this should be Critical?

Vincent Ladeuil (vila)
summary: - Cerfiticate error on launchpad xmlrpc server with HTTPS_PROXY set
+ Certificate error on launchpad xmlrpc server with HTTPS_PROXY set
Changed in bzr:
importance: High → Critical
Revision history for this message
siva sandeep (coll-life-rox) wrote :

I got a similar error.

I used the command "bzr branch lp:eucalyptus" and the response was

"bzr: ERROR: Certificate error: hostname '172.16.16.16' doesn't match either of '*.launchpad.net', 'launchpad.net'"

When i tried, " $ echo $https_proxy ", i got this,

"http://it-mml03:sivasandeep@172.16.16.16:3128/"

What am i supposed to do now to get that branch of Eucalyptus?

Revision history for this message
Martin Packman (gz) wrote :

So, the only thing as far as launchpad is concerned that uses https is the resolution of lp: urls via the xmlrpc server. Giving launchpad your ssh public key and setting your launchpad username in bzr avoids the issue as bzr+ssh is used instead of http. Passing '-Ossl.cert_reqs=none' just for the initial branch operation also works, as bzr remembers the resolved http url for future operations.

Steps to reproduce:

* Install tinyproxy, which comes up on localhost:8888 in default configuration

* Run a command through the proxy with no launchpad_username set, against a lp: branch:

    $ BZR_HOME=/tmp HTTPS_PROXY=http://localhost:8888 bzr info lp:bzr
    bzr: ERROR: Certificate error: hostname 'localhost' doesn't match either of '*.launchpad.net', 'launchpad.net'

* The safe effect can be had with other hosts and protocols, so it seems to be general issue with proxying:

    $ HTTPS_PROXY=http://localhost:8888 bzr info https://github.com/paramiko/paramiko.git
    bzr: ERROR: Certificate error: hostname 'localhost' doesn't match either of 'github.com', 'www.github.com'

Martin Packman (gz)
Changed in bzr:
assignee: nobody → Martin Packman (gz)
milestone: none → 2.5.1
status: Confirmed → In Progress
Martin Packman (gz)
Changed in bzr:
milestone: 2.5.1 → 2.6b1
Martin Packman (gz)
Changed in bzr:
status: In Progress → Fix Released
Revision history for this message
Eduard Gotwig (gotwig) wrote :

still not fixed for me:

example:

bzr branch lp:~frederik-elwert/lens-cooking/chefkoch-scope
bzr: ERROR: Certificate error: hostname 'proxy.bg.bib.de' doesn't match either of '*.launchpad.net', 'launchpad.net'

Jelmer Vernooij (jelmer)
Changed in bzr (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
assignee: nobody → Jelmer Vernooij (jelmer)
Changed in bzr (Ubuntu Precise):
assignee: nobody → Jelmer Vernooij (jelmer)
importance: Undecided → Medium
status: New → In Progress
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Hi Jelmer. The upload of bzr to precise-proposed has one issue. It is versioned as

2.5.1-0ubuntu1

But the version in quantal is

2.5.0-2ubuntu2

Please upload a higher upstream version to quantal first, then we can accept this upload to precise-proposed. Until then we need to keep it out.

Also please make sure this is actually fixed in Quantal... since it seems like something that is part of the 2.5.1 release, not 2.5.0

Changed in bzr (Ubuntu):
status: Fix Released → In Progress
status: In Progress → Fix Released
Revision history for this message
Chris Halse Rogers (raof) wrote : Please test proposed package

Hello Soren, or anyone else affected,

Accepted bzr into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in bzr (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Yuriy Voziy (yuretsz) wrote :

Is there any workaround for this? I have to work through corporate proxy and don't know what to do now.

Revision history for this message
Jasper Aikema (jasper-aikema) wrote :

I did install the proposed update (bzr 2.5.1-0ubuntu1) , and it worked for me.

Revision history for this message
Andrew Starr-Bochicchio (andrewsomething) wrote :

I can confirm this is resolved with the version in precise-proposed:

$ BZR_HOME=/tmp HTTPS_PROXY=http://localhost:8888 bzr info lp:bzr
You have not informed bzr of your Launchpad ID, and you must do this to
write to Launchpad or access private data. See "bzr help launchpad-login".
Repository branch (format: 2a)
Location:
  shared repository: http://bazaar.launchpad.net/~bzr-pqm/bzr/bzr.dev/
  repository branch: http://bazaar.launchpad.net/~bzr-pqm/bzr/bzr.dev/

Related branches:
  parent branch: sftp://robertc@escudero/srv/www.bazaar-ng.org/rsync/bzr/bzr.pqm/

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bzr - 2.5.1-0ubuntu1

---------------
bzr (2.5.1-0ubuntu1) precise-proposed; urgency=low

  * New upstream release.
   + Fixes handling of colocated branches in `bzr rmbranch`. LP: #920653
   + rmbranch now refuses to remove active branch. LP: #922953
   + Connecting with HTTPS via HTTP correctly uses host name of destination
     rather than that of proxy. LP: #944696
   + No longer requires tty when GPG signing commits. LP: #847388
   + Fixes unicode erorrs when translated progress task messages
     contain non-ascii text. LP: #966934
   + Fixes display of help for configuration options that overlap
     with other topics. LP: #941672
  * Drop 06_spurious_test_failure: applied upstream.
 -- Jelmer Vernooij <email address hidden> Mon, 28 May 2012 13:36:02 +0200

Changed in bzr (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.