OpenStack Dashboard Charm

ssl_ca configuration should be optional for certs signed by recognised CA's

Bug #1713922 reported by Nobuto Murata on 2017-08-30

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack AODH Charm	Fix Released	Medium	Unassigned	OpenStack AODH Charm 19.04
OpenStack Barbican Charm	Fix Released	Medium	Unassigned	OpenStack Barbican Charm 19.04
OpenStack Dashboard Charm	Invalid	Undecided	Unassigned
OpenStack Designate Charm	Fix Released	Medium	Unassigned	OpenStack Designate Charm 19.04
OpenStack Manila Charm	Fix Released	Medium	Unassigned	OpenStack Manila Charm 19.04
charms.openstack	Fix Released	Medium	James Page

Bug Description

SSL cert and key were provided using ssl_cert and ssl_key options. In this case, the SSL cert is signed by a trusted CA already, so ssl_ca should not be necessary.

unit-aodh-5: 13:46:11 INFO unit.aodh/5.juju-log Invoking reactive handler: reactive/aodh_handlers.py:48:setup_database
unit-aodh-5: 13:46:11 INFO unit.aodh/5.juju-log Invoking reactive handler: reactive/aodh_handlers.py:38:setup_amqp_req
unit-aodh-5: 13:46:12 INFO unit.aodh/5.juju-log Invoking reactive handler: reactive/aodh_handlers.py:57:setup_endpoint
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed Traceback (most recent call last):
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed File "/var/lib/juju/agents/unit-aodh-5/charm/hooks/config-changed", line 19, in <module>
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed main()
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed File "/var/lib/juju/agents/unit-aodh-5/.venv/lib/python3.5/site-packages/charms/reactive/__init__.py", line 78, in main
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed bus.dispatch()
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed File "/var/lib/juju/agents/unit-aodh-5/.venv/lib/python3.5/site-packages/charms/reactive/bus.py", line 423, in dispatch
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed _invoke(other_handlers)
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed File "/var/lib/juju/agents/unit-aodh-5/.venv/lib/python3.5/site-packages/charms/reactive/bus.py", line 406, in _invoke
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed handler.invoke()
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed File "/var/lib/juju/agents/unit-aodh-5/.venv/lib/python3.5/site-packages/charms/reactive/bus.py", line 280, in invoke
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed self._action(*args)
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed File "/var/lib/juju/agents/unit-aodh-5/charm/reactive/aodh_handlers.py", line 60, in setup_endpoint
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed aodh.configure_ssl()
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed File "lib/charm/openstack/aodh.py", line 206, in configure_ssl
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed AodhCharm.singleton.configure_ssl()
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed File "/var/lib/juju/agents/unit-aodh-5/.venv/lib/python3.5/site-packages/charms_openstack/charm/classes.py", line 524, in configure_ssl
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed keystone_interface=keystone_interface)
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed File "/var/lib/juju/agents/unit-aodh-5/.venv/lib/python3.5/site-packages/charms_openstack/charm/classes.py", line 463, in get_certs_and_keys
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed 'ca': self.config_defined_ssl_ca.decode('utf-8'),
unit-aodh-5: 13:46:12 DEBUG unit.aodh/5.config-changed AttributeError: 'NoneType' object has no attribute 'decode'
unit-aodh-5: 13:46:12 ERROR juju.worker.uniter.operation hook "config-changed" failed: exit status 1

See original description

Tags:

Nobuto Murata (nobuto) on 2017-08-30

description:

updated

Revision history for this message

Ryan Beisner (1chb1n) wrote on 2017-09-06:

Please provide the charm revision information, juju status, and the charm config from the bundle.

Was this the stable/17.02 stable AODH charm? Or was it some other newer or older revision?

Changed in charm-aodh:
status:	New → Incomplete
milestone:	none → 17.11

Revision history for this message

James Page (james-page) wrote on 2017-09-06:

ca is currently mandatory in the codebase; triaging as its possible to work around this by using the CA provided by the trusted party.

Changed in charm-aodh:
status:	Incomplete → Triaged
importance:	Undecided → Medium
Changed in charms.openstack:
status:	New → Triaged
importance:	Undecided → Low
Changed in charm-aodh:
importance:	Medium → Low

Revision history for this message

Ryan Beisner (1chb1n) wrote on 2017-09-06:

We will need to repro with current charms and target for next release, possibly a stable backport/update if it meets those requirements. Thank you.

Ryan Beisner (1chb1n) on 2017-09-07

tags:

added: backport-potential uosci

James Page (james-page) on 2017-09-07

Changed in charms.openstack:
status:	Triaged → In Progress
assignee:	nobody → James Page (james-page)

James Page (james-page) on 2017-09-21

Changed in charm-barbican:
status:	New → Triaged
Changed in charm-designate:
status:	New → Triaged
Changed in charm-aodh:
importance:	Low → High
Changed in charm-barbican:
importance:	Undecided → High
Changed in charm-designate:
importance:	Undecided → High
Changed in charm-aodh:
importance:	High → Medium
Changed in charm-barbican:
importance:	High → Medium
Changed in charm-designate:
importance:	High → Medium
Changed in charms.openstack:
importance:	Low → Medium
Changed in charm-barbican:
milestone:	none → 17.11
Changed in charm-designate:
milestone:	none → 17.11
Changed in charm-manila:
status:	New → Triaged
importance:	Undecided → Medium
summary:	- config-changed hook failed at 'ca': - self.config_defined_ssl_ca.decode('utf-8') when ssl_cert,key provided, - but not ssl_ca + ssl_ca configuration should be optional for certs signed by recognised + CA's
Changed in charm-manila:
milestone:	none → 17.11

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-21: Fix merged to charms.openstack (master)

Reviewed: https://review.openstack.org/501640
Committed: https://git.openstack.org/cgit/openstack/charms.openstack/commit/?id=1e35390d63144f67c26882ddb473adb106c2699c
Submitter: Jenkins
Branch: master

commit 1e35390d63144f67c26882ddb473adb106c2699c
Author: James Page <email address hidden>
Date: Thu Sep 7 10:08:41 2017 +0100

Make config provided CA optional

    When SSL cert and key are provided via configuration, and are signed
    by a known trusted CA, there is no need to configure the ssl_ca
    option as system installed certificates will cover the trust chain
    already.

Make this option optional.

Change-Id: I630d5fddb158497cb4e69f45f0c45e1f33c730f3
Closes-Bug: 1713922

Changed in charms.openstack:
status:	In Progress → Fix Released

Nobuto Murata (nobuto) on 2017-09-28

tags:

added: cpe-onsite

James Page (james-page) on 2017-12-01

Changed in charm-aodh:
milestone:	17.11 → 18.02
Changed in charm-designate:
milestone:	17.11 → 18.02
Changed in charm-barbican:
milestone:	17.11 → 18.02
Changed in charm-manila:
milestone:	17.11 → 18.02

Ryan Beisner (1chb1n) on 2018-03-09

Changed in charm-aodh:
milestone:	18.02 → 18.05
Changed in charm-designate:
milestone:	18.02 → 18.05
Changed in charm-barbican:
milestone:	18.02 → 18.05
Changed in charm-manila:
milestone:	18.02 → 18.05

David Ames (thedac) on 2018-06-11

Changed in charm-aodh:
milestone:	18.05 → 18.08
Changed in charm-designate:
milestone:	18.05 → 18.08
Changed in charm-barbican:
milestone:	18.05 → 18.08
Changed in charm-manila:
milestone:	18.05 → 18.08

James Page (james-page) on 2018-09-12

Changed in charm-aodh:
milestone:	18.08 → 18.11
Changed in charm-designate:
milestone:	18.08 → 18.11
Changed in charm-barbican:
milestone:	18.08 → 18.11
Changed in charm-manila:
milestone:	18.08 → 18.11

David Ames (thedac) on 2018-11-20

Changed in charm-aodh:
milestone:	18.11 → 19.04
Changed in charm-designate:
milestone:	18.11 → 19.04
Changed in charm-barbican:
milestone:	18.11 → 19.04
Changed in charm-manila:
milestone:	18.11 → 19.04

James Page (james-page) on 2019-03-05

Changed in charm-aodh:
status:	Triaged → Fix Released
Changed in charm-barbican:
status:	Triaged → Fix Released
Changed in charm-designate:
status:	Triaged → Fix Released
Changed in charm-manila:
status:	Triaged → Fix Released
Changed in charm-openstack-dashboard:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.