The second leader doesn't take over the previous leader's CA cert/key then initiates its own CA
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
EasyRSA Charm |
Fix Released
|
High
|
Joseph Borg |
Bug Description
When the first leader unit is dead (by hardware failure, etc.) and the second unit is added as a new leader, the second leader will initiate its own CA and issue a server certificate to newly deployed unit of other applications which cannot be verified with the original CA so application deployment will fail.
The first leader already saved CA cert and secret key into Juju's leader storage, so the second leader should take over those files and should not start its own CA.
How to reproduce:
$ juju deploy ./etcd.yaml
$ juju add-unit -n2 etcd ## and verify new etcd units join the cluster with healthy state
Take down the original easyrsa unit.
$ lxc stop -f juju-796b78-0 ## machine of easyrsa/0
$ juju add-unit easyrsa ## deploy the next leader
$ juju add-unit etcd
Expected:
The last etcd unit joins the cluster.
Actual:
The last unit will have an unverifiable server cert and will be stuck on "Waiting to retry etcd registration"
$ juju run --application etcd 'openssl verify /var/snap/
- Stdout: |
/var/
/var/
UnitId: etcd/0
- Stdout: |
/var/
/var/
UnitId: etcd/1
- Stdout: |
/var/
/var/
UnitId: etcd/2
- ReturnCode: 2
Stderr: |
CN = 10.0.9.157
error 20 at 0 depth lookup: unable to get local issuer certificate
Stdout: |
/var/
error /var/snap/
UnitId: etcd/3
$ juju status
Model Controller Cloud/Region Version SLA Timestamp
etcd localhost-localhost localhost/localhost 2.6.4 unsupported 14:53:02Z
App Version Status Scale Charm Store Rev OS Notes
easyrsa 3.0.1 active 1/2 easyrsa jujucharms 254 ubuntu
etcd 3.2.10 waiting 4 etcd jujucharms 434 ubuntu
Unit Workload Agent Machine Public address Ports Message
easyrsa/0 unknown lost 0 10.0.9.125 agent lost, see 'juju show-status-log easyrsa/0'
easyrsa/1* active idle 5 10.0.9.180 Certificate Authority connected.
etcd/0* active idle 1 10.0.9.78 2379/tcp Healthy with 3 known peers
etcd/1 active idle 2 10.0.9.147 2379/tcp Healthy with 3 known peers
etcd/2 active idle 3 10.0.9.92 2379/tcp Healthy with 3 known peers
etcd/3 waiting idle 4 10.0.9.157 Waiting to retry etcd registration
Changed in charm-easyrsa: | |
assignee: | nobody → Joseph Borg (joeborg) |
importance: | Undecided → High |
status: | New → In Progress |
Changed in charm-easyrsa: | |
status: | In Progress → Fix Committed |
Changed in charm-easyrsa: | |
assignee: | Joseph Borg (joeborg) → Cory Johns (johnsca) |
assignee: | Cory Johns (johnsca) → Joseph Borg (joeborg) |
Changed in charm-easyrsa: | |
milestone: | none → 1.15+ck1 |
Changed in charm-easyrsa: | |
status: | Fix Committed → Fix Released |
output of `juju run --unit easyrsa/1 -- leader-get`