charm-haproxy

self signed cert erroneously regenerated when config-changed code runs

Bug #1818761 reported by Billy Olsen on 2019-03-06

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	charm-haproxy	Fix Released	Medium	Billy Olsen

Bug Description

When deploying with a self-signed certificate, the is_selfsigned_cert_stale check erroneously returns True causing the certificate to be regenerated. This results in a new self-signed certificate being generated each time the config-changed hook or any hook which calls the config-changed hook (which is a fair number) is invoked.

This is due to the use of the subjAltName component from the pyasn parsing .getComponent() which returns an OctetString for the output. When converted to a python string, the OctetString does not contain an IP address which is equivalent to what is placed in the unit data (as the data is a byte array containing the octets of the IP address).

This was likely introduced by the change for bug 1779177, which switched over the self signed certificate from using the dns name to the IP address.

[Recreate Steps]
Deploy the following juju bundle

series: bionic
applications:
  haproxy:
    charm: cs:haproxy
    num_units: 1
    options:
      default_timeouts: "queue 60000, connect 5000, client 120000, server 120000"
      services: ""
      source: backports
      ssl_cert: SELFSIGNED
      global_default_bind_options: "no-tlsv10"
  grafana:
    charm: cs:grafana
    num_units: 1
relations:
  - [ "haproxy", "grafana" ]

Change a config value or cause config-changed hook to fire:

$ juju config haproxy global_quiet=True

Observe in the logs the certs are getting regenerated

See original description

Tags:

Related branches

lp:~billy-olsen/charm-haproxy/octet-string

Merged into lp:charm-haproxy at revision 119

Edward Hope-Morley: Approve on 2019-03-18

Felipe Reyes (community): Approve on 2019-03-14

Chris Johnston (community): Approve on 2019-03-06

Stuart Bishop (community): Approve on 2019-03-06

Chris Johnston (cjohnston) on 2019-03-06

tags:	added: sts
Changed in charm-haproxy:
status:	New → Confirmed

Revision history for this message

Billy Olsen (billy-olsen) wrote on 2019-03-06:

Note: a workaround for production would be to specify the certs in the charm config.

Changed in charm-haproxy:
importance:	Undecided → Medium
assignee:	nobody → Billy Olsen (billy-olsen)

Revision history for this message

Billy Olsen (billy-olsen) wrote on 2019-03-06:

Relevant unit logs are as follows. Note the comparison between the Cert set and the unit set:

2019-02-12 10:49:37 INFO juju-log Service: landscape-https
2019-02-12 10:49:37 DEBUG worker.uniter.jujuc server.go:181 running hook tool "juju-log"
2019-02-12 10:49:37 INFO juju-log Service: landscape-http
2019-02-12 10:49:37 DEBUG worker.uniter.jujuc server.go:181 running hook tool "juju-log"
2019-02-12 10:49:37 INFO juju-log Using self-signed certificate
2019-02-12 10:49:37 DEBUG worker.uniter.jujuc server.go:181 running hook tool "unit-get"
2019-02-12 10:49:37 DEBUG worker.uniter.jujuc server.go:181 running hook tool "unit-get"
2019-02-12 10:49:37 DEBUG worker.uniter.jujuc server.go:181 running hook tool "juju-log"
2019-02-12 10:49:37 INFO juju-log subjAltName: Cert (set(['\nRp\xa2'])) != Unit (set([u'10.82.112.162'])), assuming stale
2019-02-12 10:49:37 DEBUG worker.uniter.jujuc server.go:181 running hook tool "juju-log"
2019-02-12 10:49:37 INFO juju-log Generating self-signed certificate
2019-02-12 10:49:37 DEBUG config-changed Generating a 1024 bit RSA private key
2019-02-12 10:49:37 DEBUG config-changed ...++++++
2019-02-12 10:49:37 DEBUG config-changed ........++++++
2019-02-12 10:49:37 DEBUG config-changed writing new private key to '/var/lib/haproxy/selfsigned.key'
2019-02-12 10:49:37 DEBUG config-changed -----
2019-02-12 10:49:37 DEBUG worker.uniter.jujuc server.go:181 running hook tool "juju-log"

Changed in charm-haproxy:
status:	Confirmed → In Progress

Billy Olsen (billy-olsen) on 2019-03-06

summary:	- self signed cert erroneously regenerated when reverse-proxy relation - changes + self signed cert erroneously regenerated when config-changed code runs
description:	updated

Revision history for this message

Billy Olsen (billy-olsen) wrote on 2019-04-05:

Fix was released in haproxy charm revision 48

Changed in charm-haproxy:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.