charm deployment fails, when using self-signed certificate, which has IP address only (SAN)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Charm Helpers |
Invalid
|
Undecided
|
Unassigned | ||
Ubuntu Cloud Archive |
Invalid
|
Undecided
|
Unassigned | ||
Mitaka |
Fix Released
|
High
|
James Page | ||
python-urllib3 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Xenial |
Invalid
|
High
|
James Page |
Bug Description
[Impact]
Bug 1771988 introduced a fix to support IP based SAN's in certificates; however the required new dependency (python-ipaddress) was not added to the Recommends of the package which was an oversight of the original SRU. This really only impacts on trusty deployments as on xenial python-ipaddress is installed indirectly via another dependency.
[Test Case]
apt install python-urllib3
python-ipaddress is not installed, certs with IP based SAN's won't verify correctly.
[Regression Potential]
Minimal - extra package installed on upgrades or install of urllib3
[Original Bug Report]
E.g. radosgw charm fails, when self-signed SSL certificate has IP address only (not hostname based).
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
2019-02-06 13:05:46 DEBUG identity-
match '100.86.0.2'
Changed in charm-helpers: | |
assignee: | nobody → Gábor Mészáros (gabor.meszaros) |
Changed in charm-helpers: | |
assignee: | Gábor Mészáros (gabor.meszaros) → nobody |
Changed in cloud-archive: | |
status: | New → Invalid |
description: | updated |
description: | updated |
description: | updated |
works with python-urllib3 1.13.1- 2ubuntu0. 16.04.1~ cloud0 2ubuntu0. 16.04.2~ cloud0
but fails with 1.13.1-
Change introduced: https:/ /bugs.launchpad .net/ubuntu/ +source/ python- urllib3/ +bug/1771988
code segment that silently fails: cert, hostname): getpeercert( )) matches the *hostname*. RFC 2818 and RFC 6125 ip_address( _to_unicode( hostname) )
96 def match_hostname(
97 """Verify that *cert* (in decoded format as returned by
98 SSLSocket.
99 rules are followed, but IP addresses are not accepted for *hostname*.
100
101 CertificateError is raised on failure. On success, the function
102 returns nothing.
103 """
104 if not cert:
105 raise ValueError("empty or no certificate, match_hostname needs a "
106 "SSL socket or SSL context with either "
107 "CERT_OPTIONAL or CERT_REQUIRED")
108 try:
109 # Divergence from upstream: ipaddress can't handle byte str
110 host_ip = ipaddress.
111 except ValueError:
112 # Not an IP address (common case)
113 host_ip = None
114 except UnicodeError:
115 # Divergence from upstream: Have to deal with ipaddress not taking
116 # byte strings. addresses should be all ascii, so we consider it not
117 # an ipaddress in this case
118 host_ip = None
119 except AttributeError: <<<<<< throws AttributeError, because ipaddress is not available >>>>>>
120 # Divergence from upstream: Make ipaddress library optional
121 if ipaddress is None:
122 host_ip = None
123 else:
124 raise
from here: ssl_match_ hostname to continue to be used all the way back to
9 # ipaddress has been backported to 2.6+ in pypi. If it is installed on the
10 # system, use it to handle IPAddress ServerAltnames (this was added in
11 # python-3.5) otherwise only do DNS matching. This allows
12 # backports.
13 # python-2.4.
14 try:
15 import ipaddress
16 except ImportError:
17 ipaddress = None
18
Simply installing python-ipaddress solves the issue