Canonical Livepatch Client

certificate signed by unknown authority, Let's Encrypt

Bug #1790520 reported by Keenen Wheeler on 2018-09-03

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Livepatch Client	Fix Released	Undecided	Unassigned

Bug Description

When attempting to enable livepatch on a fresh install of ubuntu server 18.04, I get the following error.

error executing enable: Couldn't send req: Post https://livepatch.canonical.com/api/machine-tokens: x509: certificate signed by unknown authority. Server communication failed.

I've tested this on multiple servers at different locations. This issue may be affecting all users. This will also prevent livepatch from functioning on existing installs.

I suspect that the 'Let's Encrypt Authority X3' CA is not installed on the snap core.

Debug Info:
SSL Cert:
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=livepatch.canonical.com
* start date: Sep 1 05:36:06 2018 GMT
* expire date: Nov 30 05:36:06 2018 GMT
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
} [5 bytes data]
> GET /api/machine-tokens HTTP/1.1
> Host: livepatch.canonical.com
> User-Agent: curl/7.58.0
> Accept: */*
>

Name Version Rev Tracking Publisher Notes
canonical-livepatch 8.0.3 42 stable canonical✓ -

See original description

Keenen Wheeler (cypher10x) on 2018-09-03

description:	updated
information type:	Proprietary → Public

Revision history for this message

Paul Collins (pjdc) wrote on 2018-09-03:

I've switched both services back to using the original CA.

Revision history for this message

Tom Reynolds (tomreyn) wrote on 2018-09-03:

And my livepatch client ('canonical-livepatch enable <MYAPIKEY>') just registered fine.

Before this change, it was just sitting there for ~10 minutes, retrying to connect (as per syslog, no info on this was printed on my tty), then ultimately failed (no notice on that in syslog, just on the tty i was running the command on) with the error message by Keenen.

It would be great to have more robust testing in place to prevent such issues. I know this is often easier said than done, especially with web applications - but if it's a web application which only one application - which is maintained by Canonical - is supposed to access anyways, then... I would think this should be manageable. ;-)

Thanks for your efforts (and the free tier on this service).

Revision history for this message

Paul Collins (pjdc) wrote on 2018-09-04:

Only livepatch.canonical.com relies on pinning, so I've switched auth.livepatch.canonical.com back to Let'sEncrypt.

Revision history for this message

Rodney Hester (rhester72) wrote on 2018-09-04:

Also confirmed as now working here, thank you!

Casey Marshall (cmars) on 2020-08-26

Changed in canonical-livepatch-client:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.