Revision 11 of the charm broke self-signed certificate generation

Bug #1430413 reported by Andreas Hasenack on 2015-03-10
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Juju Charms Collection)
High
Adam Collard

Bug Description

Deploy apache2 with this config:
apache2:
    ssl_cert: SELFSIGNED
    ssl_certlocation: apache2.cert
    ssl_keylocation: apache2.key

juju deploy cs:trusty/apache2 --config apache2.yaml
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 Generating a 1024 bit RSA private key
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 .............................................................................++++++
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 ..............................++++++
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 writing new private key to '/etc/ssl/private/apache2.key'
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 -----
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 problems making Certificate Request
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 140359060399776:error:0D07A098:asn1 encoding routines:ASN1_mbstring_ncopy:string too short:a_mbstr.c:147:minsize=1
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 Command '['openssl', 'req', '-new', '-x509', '-nodes', '-days', '3650', '-config', '/var/lib/juju/agents/unit-apache2-0/charm/data/openssl.cnf', '-keyout', u'/etc/ssl/private/apache2.key', '-out', u'/etc/ssl/certs/apache2.cert']' returned non-zero exit status 1
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 Traceback (most recent call last):
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 File "/var/lib/juju/agents/unit-apache2-0/charm/hooks/config-changed", line 868, in <module>
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 main(hook_name)
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 File "/var/lib/juju/agents/unit-apache2-0/charm/hooks/config-changed", line 827, in main
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 config_changed()
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 File "/var/lib/juju/agents/unit-apache2-0/charm/hooks/config-changed", line 598, in config_changed
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 gen_selfsigned_cert(config_data, cert_file, key_file)
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 File "/var/lib/juju/agents/unit-apache2-0/charm/hooks/config-changed", line 199, in gen_selfsigned_cert
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 '-keyout', key_file, '-out', cert_file])
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 File "/var/lib/juju/agents/unit-apache2-0/charm/hooks/config-changed", line 101, in run
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 output = subprocess.check_output(command, *args, **kwargs)
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 File "/usr/lib/python2.7/subprocess.py", line 573, in check_output
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 raise CalledProcessError(retcode, cmd, output=output)
2015-03-10 15:52:26 INFO unit.apache2/0.config-changed logger.go:40 subprocess.CalledProcessError: Command '['openssl', 'req', '-new', '-x509', '-nodes', '-days', '3650', '-config', '/var/lib/juju/agents/unit-apache2-0/charm/data/openssl.cnf', '-keyout', u'/etc/ssl/private/apache2.key', '-out', u'/etc/ssl/certs/apache2.cert']' returned non-zero exit status 1
2015-03-10 15:52:26 ERROR juju.worker.uniter uniter.go:608 hook "config-changed" failed: exit status 1

That template file has:
$ juju ssh 4 sudo cat /var/lib/juju/agents/unit-apache2-0/charm/data/openssl.cnf
Warning: Permanently added '10.0.3.89' (ECDSA) to the list of known hosts.
RANDFILE = /dev/urandom

[ req ]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
prompt = no
policy = policy_anything
x509_extensions = v3_ca

[ req_distinguished_name ]
commonName = $ENV::OPENSSL_CN

[ v3_ca ]
# Extensions to add to a certificate request
subjectAltName = @alt_names

[alt_names]
DNS.1 = $ENV::OPENSSL_PUBLIC
DNS.2 = $ENV::OPENSSL_PRIVATE
Connection to 10.0.3.89 closed.

This used to work in the previous charm revision (r10).

Related branches

Tom Haddon (mthaddon) wrote :

I've confirmed the generated files (openssl.cnf) are identical between the two versions. Current working theory is that env variables are being passed in differently.

Tom Haddon (mthaddon) wrote :

Ok, so the problem appears to be with the 'OPENSSL_CN' variable. In the old version of the charm this corresponds to the IP address of the unit, in the newer version it's empty. It's set as follows:

os.environ['OPENSSL_CN'] = config['servername']

Here's the difference in that function between the two versions of charmhelpers:

 def config(scope=None):
- "Juju charm configuration"
+ """Juju charm configuration"""
     config_cmd_line = ['config-get']
     if scope is not None:
         config_cmd_line.append(scope)
     config_cmd_line.append('--format=json')
     try:
- return json.loads(subprocess.check_output(config_cmd_line))
+ config_data = json.loads(
+ subprocess.check_output(config_cmd_line).decode('UTF-8'))
+ if scope is not None:
+ return config_data
+ return Config(config_data)
     except ValueError:
         return None

Changed in apache2 (Juju Charms Collection):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Adam Collard (adam-collard)
tags: added: landscape
Changed in apache2 (Juju Charms Collection):
status: Confirmed → In Progress
Changed in apache2 (Juju Charms Collection):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers