charm-haproxy

OSError: [Errno 21 No such file or directory: '/var/lib/haproxy/selfsigned.key"

Bug #1991119 reported by Peter Jose De Sousa on 2022-09-28

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	charm-haproxy	New	Undecided	Unassigned

Bug Description

Hello,

subtitle: Adding manual machines with DNS breaks selfsigned certificate generation

[Description]

When deploying haproxy on a manual machine with DNS, e.g juju add-machine ssh:<email address hidden>, the juju public address is configured as host.subdomain.domain.

This causes an error with haproxy, where if SELFSIGNED is enabled in the ssl_cert configuration, HA proxy will put the public-address into the IP config:

/var/lib/juju/unit-haproxy-0/charm/data/openssl.cnf:
... rest of openssl config....

[alt_names]

IP.1 =SENV::OPENSSL_PUBLIC -> host.subdomain.domain
IP.2 -SENV::OPENSSL_PRIVATE -> internal IP (e.g. 10.0.0.1)

The result is that the config-changed hook of haproxy fails:

139709383779456: error: 22098880:X509 V3 routines:X509V3_EXT_nconf:error bjectAltName, value-@alt_names Traceback (most recent call last):

File "./hooks/config-changed", line 1540, in <module>

main (hook_name) File "./hooks/config-changed", line 1495, in main

config_changed() File "./hooks/config-changed", line 1024, in config_changed

notify_reverseproxy() File "/hooks/config-changed", line 1089, in _notify_reverseproxy

ssl_cert base64.b64encode(get_selfsigned_cert()[0])

File/hooks/config-changed", line 1298, in get_selfsigned_cert

gen_selfsigned_cert (cert_file, key_file) File ./hooks/config-changed", line 1409, in gen selfsigned_cert

os.chown (key_file, uid, -1)

OSError: [Errno 21 No such file or directory: '/var/lib/haproxy/selfsigned.key"

[Reproducer]

1. Create a new model in juju
2. Add a manual machine with DNS, e.g. juju add-machine ssh:<email address hidden>
3. Deploy haproxy with a backend application, and the SELFSIGNED configuration enabled.

[Workaround]

Edit the /var/lib/juju/agents/unit-haproxy-0/charm/data/openssl.cnf file on all affected units, changing the alternate names for DNS.1, and update the IP entry to reflect this change e.g.:

[alt_names]

DNS.1 =SENV::OPENSSL_PUBLIC -> host.subdomain.domain
IP.1 -SENV::OPENSSL_PRIVATE -> internal IP (e.g. 10.0.0.1)

Thanks,
Peter

See original description

Peter Jose De Sousa (pjds) on 2022-09-29

description:

updated

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.