juju-core

Invalid SSL certificate after rebootstrapping

Bug #1130255 reported by Nicola Larosa on 2013-02-19

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	juju-core	Fix Released	High	Unassigned	juju-core 1.17.1

Bug Description

THe Juju GUI connects to the Juju API WebSocket via SSL when so configured.

When Juju uses a self-signed SSL certificate, it gets reused upon rebootstrapping.

When first boostrapping Juju, for Juju GUI to be able to access the Juju API WebSocket, said WebSocket has to be first accessed manually so that the the user can accept the self-signed certificate issued by Juju.

When using Firefox, after rebootstrapping Juju and accessing the WebSocket port via SSL again: <https://hostname:17070/>, since Juju reuses the previously generated self-signed certificate, but now it is deployed on a host at a different address, Firefox displays an invalid server certificate with the following error:

"Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number."

See original description

Tags:

Revision history for this message

William Reade (fwereade) wrote on 2013-06-15:

Nicola, sorry, I'm missing context. Would you explain what you did in a bit more detail please?

Changed in juju-core:
status:	New → Incomplete

Revision history for this message

Nicola Larosa (teknico) wrote on 2013-06-17:

William, sorry for the vagueness. I changed the bug description adding all context that I can retrieve from my memory. It may be all, in part or not at all relevant to the current situation. :-)

description:

updated

Revision history for this message

William Reade (fwereade) wrote on 2013-09-05:

Sorry, this is actually perfectly clear. We should destroy certs/keys at destroy-environment time.

Changed in juju-core:
status:	Incomplete → Triaged
importance:	Undecided → High

Curtis Hovey (sinzui) on 2013-10-12

tags:

added: destroy-environment

William Reade (fwereade) on 2013-10-16

Changed in juju-core:
status:	Triaged → Fix Committed

Curtis Hovey (sinzui) on 2013-10-25

Changed in juju-core:
milestone:	none → 1.17.0

Curtis Hovey (sinzui) on 2013-12-20

Changed in juju-core:
status:	Fix Committed → Fix Released

Revision history for this message

William Reade (fwereade) wrote on 2014-01-02:

OK, we generate a new server cert with the same CA cert -- but we reuse the serial number, which is not OK. See cert/cert.go:154 and http://www.ietf.org/rfc/rfc2459.txt section 4.1.2.2

Changed in juju-core:
milestone:	1.17.0 → 1.17.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.