self signed cert erroneously regenerated when config-changed code runs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
charm-haproxy |
Fix Released
|
Medium
|
Billy Olsen |
Bug Description
When deploying with a self-signed certificate, the is_selfsigned_
This is due to the use of the subjAltName component from the pyasn parsing .getComponent() which returns an OctetString for the output. When converted to a python string, the OctetString does not contain an IP address which is equivalent to what is placed in the unit data (as the data is a byte array containing the octets of the IP address).
This was likely introduced by the change for bug 1779177, which switched over the self signed certificate from using the dns name to the IP address.
[Recreate Steps]
Deploy the following juju bundle
series: bionic
applications:
haproxy:
charm: cs:haproxy
num_units: 1
options:
default_
services: ""
source: backports
ssl_cert: SELFSIGNED
global_
grafana:
charm: cs:grafana
num_units: 1
relations:
- [ "haproxy", "grafana" ]
Change a config value or cause config-changed hook to fire:
$ juju config haproxy global_quiet=True
Observe in the logs the certs are getting regenerated
Related branches
- Edward Hope-Morley: Approve
- Felipe Reyes (community): Approve
- Chris Johnston (community): Approve
- Stuart Bishop (community): Approve
-
Diff: 100 lines (+43/-6)1 file modifiedhooks/hooks.py (+43/-6)
tags: | added: sts |
Changed in charm-haproxy: | |
status: | New → Confirmed |
summary: |
- self signed cert erroneously regenerated when reverse-proxy relation - changes + self signed cert erroneously regenerated when config-changed code runs |
description: | updated |
Note: a workaround for production would be to specify the certs in the charm config.