charm-haproxy

Incorrectly sets subjectAltName addresses as DNS type instead of using IP types

Bug #1779177 reported by Simon Poirier on 2018-06-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	charm-haproxy	Fix Released	Undecided	Unassigned

Bug Description

When generating selfsigned cert, subjectAltName public/private addresses are DNS entries instead of using IP types.

The resulting certificate will fail to validate on recent curl versions, leading to a confusing error about subjectAltName not matching, even when providing the certificate.

For instance:

$ juju deploy ghost
$ juju deploy haproxy
$ juju relate haproxy ghost
$ juju config haproxy ssl_cert=SELFSIGNED
$ juju config haproxy services='
- service_name: haproxy_service
  service_host: "0.0.0.0"
  service_port: 443
  crts: [DEFAULT]
  service_options: [balance leastconn, cookie SRVNAME insert]
  server_options: maxconn 100 cookie S{i} check'
$ echo | openssl s_client -connect 10.4.50.188:443 | openssl x509 -text > cacert
$ curl https://10.4.50.188/ --cacert cacert
curl: (51) SSL: no alternative certificate subject name matches target host name '10.4.50.188'

Related branches

lp:~simpoir/charm-haproxy/ip-selfsigned

Merged into lp:charm-haproxy at revision 117

haproxy-team: Pending requested 2018-07-10

Revision history for this message

Billy Olsen (billy-olsen) wrote on 2019-03-06:

Move to Fix Released as the latest charm includes the corresponding change

Changed in charm-haproxy:
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.