juju-core

ERROR state: TLS handshake failed: x509: certificate signed by unknown authority

Bug #1178312 reported by Sidnei da Silva
48
This bug affects 9 people
Affects Status Importance Assigned to Milestone
juju-core
Fix Released
Low
Unassigned

Bug Description

Steps to reproduce:

Run juju bootstrap from client machine 1
Run juju -v status from client machine 2, where machine 2 has a *previous* set of .pem files from a previous run which don't match the current environment.

In machine 2, the message is printed over and over again about 5 times per second, and it doesn't seem to ever give up.

The fix is apparently to copy the {env)-cert.pem and {env}-private-key.pem file from the bootstrap machine to the other machine. Regardless, the status command should give up and error right away since there's nothing that it can fix by retrying over and over.

See original description
Sidnei da Silva (sidnei)
description: updated
Revision history for this message
John A Meinel (jameinel) wrote :

I think this is a single case of a more general issue, where we will wait indefinitely to try to connect to the server, even for errors which could be considered fatal. (having incorrect pem files, having incorrect credentials, trying to connect to a server that will never start, etc.)

Changed in juju-core:
importance: Undecided → Medium
status: New → Confirmed
William Reade (fwereade)
Changed in juju-core:
status: Confirmed → Triaged
Curtis Hovey (sinzui)
Changed in juju-core:
importance: Medium → Low
Curtis Hovey (sinzui)
tags: added: config
Jonathan Davies (jpds)
tags: added: cts-cloud-review
Revision history for this message
Dimiter Naydenov (dimitern) wrote :

I also found out a similar error is reported when you manually bootstrap a machine with clock out of sync. I have a pristine precise VM with a snapshot just after rebooting. The clock shows the time the snapshot was done and when bootstrapping the generated TLS cert for the api/state server is created with the wrong date. Consequently, trying to login later to that machine will always fail with "cert expired".

Revision history for this message
John A Meinel (jameinel) wrote :

"cert expired" because the cert start time is later than "now()" interesting.

Anyway, having the wrong cert will prevent you from connecting to the new environment because it doesn't match, that is intentional behavior. We no longer drop .pem files on disk (they may already exist there), so I'm tempted to mark this as either Wont Fix or Invalid.

Felipe Reyes (freyes)
tags: added: cts
Edward Hope-Morley (hopem)
tags: added: sts
removed: cts
Revision history for this message
Curtis Hovey (sinzui) wrote :

This issue has not been seen in modern juju for more than a year

Changed in juju-core:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.