devstack

can't use ipv6 with devstack if tls is enabled

Bug #1794929 reported by Antonio Ojea
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
devstack
Fix Released
Undecided
Antonio Ojea

Bug Description

If you want to use IPv6 with devstack and TLS is enabled, it adds the IPv6 address in the certificate in the DNS and the IPaddress fields:

X509v3 Subject Alternative Name:
    DNS:localhost, DNS:::1, IP Address:0:0:0:0:0:0:0:1

This is needed because python2 has a known issue parsing the x509 SAN fields:

https://bugs.python.org/issue23239
https://github.com/openstack-dev/devstack/blob/master/lib/tls#L232

The problem is that urllib3 is not able to handle IP addresses in the DNS field, as explained in the following link:

https://github.com/urllib3/urllib3/issues/1269

and devstack fails and exits with the following error

+++ functions-common:oscwrap:2288 : openstack project show admin -f value -c id
The label ::1 is not a valid A-label

seems that python2 is not going to fix this, so we have to wait for urllib3 to fix it and do a new release.

I'll submit a partial fix, not including the IPv6 address in the DNS field if we are using python3.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to devstack (master)

Fix proposed to branch: master
Review: https://review.openstack.org/605983

Changed in devstack:
assignee: nobody → Antonio Ojea (itsuugo)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to devstack (master)

Reviewed: https://review.openstack.org/605983
Committed: https://git.openstack.org/cgit/openstack-dev/devstack/commit/?id=9a543a81acb808e4275765da7ff0f613109b6603
Submitter: Zuul
Branch: master

commit 9a543a81acb808e4275765da7ff0f613109b6603
Author: aojeagarcia <email address hidden>
Date: Fri Sep 28 08:55:49 2018 +0200

    Don't use ipv6 for DNS SAN fields with python3

    Python2 match routines for x509 fields are broken and have to use
    the DNS field for ip addresses.

    The problem is that if you use ipv6 addresses in the DNS field,
    urllib3 fails when trying to encode it.

    Since python3 match routines for x509 fields are correct, this patch
    disables the hack for python3, encoding the ip address in the
    corresponding field only of the certificate.

    Partial-Bug: #1794929
    Depends-On: https://review.openstack.org/#/c/608468

    Change-Id: I7b9cb15ccfa181648afb12be51ee48bed14f9156
    Signed-off-by: aojeagarcia <email address hidden>

Revision history for this message
Dr. Jens Harbott (j-harbott) wrote :

Can we mark this as resolved assuming that python2 will be EOL soon?

Antonio Ojea (aojea)
Changed in devstack:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.