cfn-signal doesn't respect instance_connection_https_validate_certificates
Bug #1251707 reported by
Steven Hardy
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
heat-cfntools |
Triaged
|
High
|
Unassigned |
Bug Description
Reported by a user on IRC and verified by inspection of the code, currently instance_
So we either need to get cfn-signal to read the cfn-boto-cfg file (or other data we provide via userdata if that's deemed to dirty-a solution) such that it adds the --insecure option, or just kill cfn-signal and make users use curl (which is what AWS do AFAICT, I think cfn-signal is something we invented?)
Changed in heat-cfntools: | |
status: | New → Triaged |
importance: | Undecided → High |
milestone: | none → v1.2.7 |
Changed in heat-cfntools: | |
milestone: | v1.2.7 → v1.2.8 |
Changed in heat-cfntools: | |
milestone: | v1.2.8 → v1.2.9 |
To post a comment you must log in.
> (which is what AWS do AFAICT, I think cfn-signal is something we invented?)
I checked. AWS always verify SSL cert. (I write my survey at the bottom.)
> So we either need to get cfn-signal to read the cfn-boto-cfg file (or other data we provide via userdata if that's deemed to dirty-a solution) such\
that it adds the --insecure option, or just kill cfn-signal and make users use curl
If you judge a approach, I will try to write a code.
1. get cfn-signal to read the /var/lib/ heat-cfntools/ cfn-boto- cfg file, and requests with curl
* read /var/lib/ heat-cfntools/ cfn-boto- cfg
https_validate_ certificates = 1 # if is_secure == 1 then validate cert
is_secure = 0 # do requests via https
* execute curl with the conditions below certificates: /.*'
curl 'https:/ /.*' .*'
if is_secure:
if https_validate_
curl --cacert <CA certificate> 'https:/
else:
else:
curl 'http://
2. get cfn-signal to read the other data via userdata
* may be dirty, do you have any detailed idea?
----
This is my survey, which is how Amazon Linux treats cfn-signal SSL requests.
* /var/lib/ cloud/data/ user-data. txt
At instance, cfn-signal is called by userdata. cfn-signal passes 'https' url parameter.
4 function error_exit bin/cfn- signal -e 1 -r "$1" 'https:/ /cloudformation -waitcondition- ap-northeast- 1.s3-ap- northeast- 1.amazonaws. com/arn% 3Aaws%3Acloudfo rm\ northeast- 1%3A61912578741 1%3Astack/ wordpress/ 1aad2760- 2d70-11e4- 9d9e-5088487c48 96/WaitHandle? AWSAccessKeyId= AKIAIZ6TP2XVEMT YTWLQ&Expir\ Signature= pdGcv%2FVjXZNpn ASBr37qxxckOBQ% 3D'
5 {
6 /opt/aws/
a tion%3Aap-
es =1409178429&
7 exit 1
8 }
* /opt/aws/ bin/cfn- signal
cfn-signal implementaion. it uses 'requests' python library in cfnbootstrap. packages.
cfn-signal calls put() method with 'verify=True' parameter. this is whether force to verify SSL cert or not.
so Amazon Cloudformation always verify SSL cert validation.
22 import re packages import requests
23 from cfnbootstrap.
24 import socket
77 on_failure( ) dumps(data) , {"Content- Type" : ""}, util.get_ proxyinfo( options) ).raise_ for_status( )
78 @util.retry_
79 @util.timeout()
80 def send(url, data):
81 requests.put(url,
82 data=json.
83 headers=
84 verify=True,
85 proxies=
86
87 try:
88 send(url, data)
89 print 'CloudFormation signaled successfully with %s.' % data['Status']
90 sys.exit(0)
91 except IOError, e:
92 print >> sys.stderr, 'Error signaling CloudFormation: %s' % str(e)
93 sys.exit(1)
* /usr/lib/ python2. 6/site- packages/ cfnbootstrap/ packages/ requests/ __init_ _.py
requests library. request.put() is alias of request.api.put().
59 from .models import Request, Response, PreparedRequest
60 from .api import request, get, head, post, patch, put, delete, options
61 from .sessions import session, Session
* /usr/lib/ python2. 6/site- packages/ cfnbootstrap/ packages/ requests/ api.py
'verify=True' in kwargs of request.api.put().
91 def put(url, data=None, **kwargs):
92 """Sends a PUT request. Returns :class:`Response` object.
93
...