Hello,
I've verified that the current -proposed package fixes the issue for us, for the given use case.
Using the following deployment bundle on a Bionic + Rocky cloud http://paste.ubuntu.com/p/jnVdVvQg7k/
Without the patch, the problem is reproduced as expressed on the case description:
ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack secret container create --type='certificate' --name "test-tls-1" --secret="certificate=https://10.5.0.11:9312/v1/secrets/7aa7727d-f39b-45f8-9310-f5c595ad4feb" --secret="private_key=https://10.5.0.11:9312/v1/secrets/189736d1-51d8-4cbe-9638-ceadcbb664ac" --secret="intermediates=https://10.5.0.11:9312/v1/secrets/70e2cf9c-8110-4d25-a1e3-f7b6f3950e64"
ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls-container="https://10.5.0.11:9312/v1/containers/b548ab63-474d-4a94-b121-4eae8193fcc1" -- lb1 The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-c79fbcb1-06d8-47e4-9754-8066596ba262)
With the patch applied in the following version:
root@juju-be44b9-barbican-10:/home/ubuntu# dpkg -l |grep barbican ii python3-barbicanclient 4.6.0-0ubuntu1.1 all OpenStack Key Management API client - Python 3.x
| https://10.5.0.11:9312/v1/containers/bd67d6f4-3a82-4a86-9679-c97a66ceeb19 | None | 2020-05-12T21:37:32+00:00 | ACTIVE | certificate | certificate=https://10.5.0.11:9312/v1/secrets/26ed5706-5f0a-4f9f-b226-e8595031515e | None | | | | | | | private_key=https://10.5.0.11:9312/v1/secrets/9a3bd926-6ba9-46be-8168-6b5e79e09b36 | | +---------------------------------------------------------------------------+----------------+---------------------------+--------+-------------+--------------------------------------------------------------------------------------+-----------+
The issue isn't longer reproducible and listeners can be created.
ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener-2" --default-tls-container="https://10.5.0.11:9312/v1/containers/bd67d6f4-3a82-4a86-9679-c97a66ceeb19" -- lb2 +-----------------------------+---------------------------------------------------------------------------+ | Field | Value | +-----------------------------+---------------------------------------------------------------------------+ | admin_state_up | True | | connection_limit | -1 | | created_at | 2020-05-12T21:38:28 | | default_pool_id | None | | default_tls_container_ref | https://10.5.0.11:9312/v1/containers/bd67d6f4-3a82-4a86-9679-c97a66ceeb19 | | description | | | id | 971a679d-4a07-4012-8552-fac8f0f450ab | | insert_headers | None | | l7policies | | | loadbalancers | 9a49ae4e-4bae-451d-bcec-b22dadf1df29 | | name | test-listener-2 | | operating_status | OFFLINE | | project_id | 2ab451be592d468bad963a95a342e099 | | protocol | TERMINATED_HTTPS | | protocol_port | 443 | | provisioning_status | PENDING_CREATE | | sni_container_refs | [] | | timeout_client_data | 50000 | | timeout_member_connect | 5000 | | timeout_member_data | 50000 | | timeout_tcp_inspect | 0 | | updated_at | None | | client_ca_tls_container_ref | | | client_authentication | | | client_crl_container_ref | | | allowed_cidrs | | +-----------------------------+---------------------------------------------------------------------------+
ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack loadbalancer listener show 971a679d-4a07-4012-8552-fac8f0f450ab | grep tls | default_tls_container_ref | https://10.5.0.11:9312/v1/containers/bd67d6f4-3a82-4a86-9679-c97a66ceeb19 | | client_ca_tls_container_ref | |
ubuntu@niedbalski-bastion:~/stsstack-bundles/openstack/00268110$ openstack loadbalancer listener show 971a679d-4a07-4012-8552-fac8f0f450ab | grep -i provis | provisioning_status | ACTIVE |
Therefore, I am marking this verification as completed.
Thanks for the help on this.
Hello,
I've verified that the current -proposed package fixes the issue for us, for the
given use case.
Using the following deployment bundle on a Bionic + Rocky cloud paste.ubuntu. com/p/jnVdVvQg7 k/
http://
Without the patch, the problem is reproduced as expressed on the case description:
ubuntu@ niedbalski- bastion: ~/stsstack- bundles/ openstack/ 00268110$ openstack secret container create --type= 'certificate' --name "test-tls-1" --secret= "certificate=https:/ /10.5.0. 11:9312/ v1/secrets/ 7aa7727d- f39b-45f8- 9310-f5c595ad4f eb" --secret= "private_ key=https:/ /10.5.0. 11:9312/ v1/secrets/ 189736d1- 51d8-4cbe- 9638-ceadcbb664 ac" --secret= "intermediates=https:/ /10.5.0. 11:9312/ v1/secrets/ 70e2cf9c- 8110-4d25- a1e3-f7b6f3950e 64"
ubuntu@ niedbalski- bastion: ~/stsstack- bundles/ openstack/ 00268110$ openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default- tls-container= "https:/ /10.5.0. 11:9312/ v1/containers/ b548ab63- 474d-4a94- b121-4eae8193fc c1" -- lb1 read_bio' , 'not enough data')] (HTTP 400) (Request-ID: req-c79fbcb1- 06d8-47e4- 9754-8066596ba2 62)
The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_
With the patch applied in the following version:
root@juju- be44b9- barbican- 10:/home/ ubuntu# dpkg -l |grep barbican barbicanclient 4.6.0-0ubuntu1.1 all OpenStack Key Management API client - Python 3.x
ii python3-
| https:/ /10.5.0. 11:9312/ v1/containers/ bd67d6f4- 3a82-4a86- 9679-c97a66ceeb 19 | None | 2020-05- 12T21:37: 32+00:00 | ACTIVE | certificate | certificate=https:/ /10.5.0. 11:9312/ v1/secrets/ 26ed5706- 5f0a-4f9f- b226-e859503151 5e | None | /10.5.0. 11:9312/ v1/secrets/ 9a3bd926- 6ba9-46be- 8168-6b5e79e09b 36 | | ------- ------- ------- ------- ------- ------- ------- ------- ------- ------+ ------- ------- --+---- ------- ------- ------- --+---- ----+-- ------- ----+-- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- +------ -----+
| | | | | | private_key=https:/
+------
The issue isn't longer reproducible and listeners can be created.
ubuntu@ niedbalski- bastion: ~/stsstack- bundles/ openstack/ 00268110$ openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener-2" --default- tls-container= "https:/ /10.5.0. 11:9312/ v1/containers/ bd67d6f4- 3a82-4a86- 9679-c97a66ceeb 19" -- lb2 ------- ------- ------- --+---- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- -+ ------- ------- ------- --+---- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- -+ tls_container_ ref | https:/ /10.5.0. 11:9312/ v1/containers/ bd67d6f4- 3a82-4a86- 9679-c97a66ceeb 19 | 4a07-4012- 8552-fac8f0f450 ab | 4bae-451d- bcec-b22dadf1df 29 | bad963a95a342e0 99 | member_ connect | 5000 | ca_tls_ container_ ref | | authentication | | crl_container_ ref | | ------- ------- ------- --+---- ------- ------- ------- ------- ------- ------- ------- ------- ------- ------- -+
+------
| Field | Value |
+------
| admin_state_up | True |
| connection_limit | -1 |
| created_at | 2020-05-12T21:38:28 |
| default_pool_id | None |
| default_
| description | |
| id | 971a679d-
| insert_headers | None |
| l7policies | |
| loadbalancers | 9a49ae4e-
| name | test-listener-2 |
| operating_status | OFFLINE |
| project_id | 2ab451be592d468
| protocol | TERMINATED_HTTPS |
| protocol_port | 443 |
| provisioning_status | PENDING_CREATE |
| sni_container_refs | [] |
| timeout_client_data | 50000 |
| timeout_
| timeout_member_data | 50000 |
| timeout_tcp_inspect | 0 |
| updated_at | None |
| client_
| client_
| client_
| allowed_cidrs | |
+------
ubuntu@ niedbalski- bastion: ~/stsstack- bundles/ openstack/ 00268110$ openstack loadbalancer listener show 971a679d- 4a07-4012- 8552-fac8f0f450 ab | grep tls tls_container_ ref | https:/ /10.5.0. 11:9312/ v1/containers/ bd67d6f4- 3a82-4a86- 9679-c97a66ceeb 19 | ca_tls_ container_ ref | |
| default_
| client_
ubuntu@ niedbalski- bastion: ~/stsstack- bundles/ openstack/ 00268110$ openstack loadbalancer listener show 971a679d- 4a07-4012- 8552-fac8f0f450 ab | grep -i provis
| provisioning_status | ACTIVE |
Therefore, I am marking this verification as completed.
Thanks for the help on this.