No mechanism exists to trust self-signed https metadata mirror.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Expired
|
Wishlist
|
Unassigned |
Bug Description
While trying to set up a demo of juju 2 on an isolated network, I found it impossible to obtain lxd images during bootstrap from a simplestreams mirror of https:/
The apache2 server I'm using for the mirror has a self-signed certificate.
The bootstrap fails after reporting that no valid image is available on my simplestreams mirror, and a wireshark capture shows a failed tls 1.2 handshake with alert message "Fatal: Bad Certificate (42)."
$ apt-cache policy juju
juju:
Installed: 1:2.0.2-
Candidate: 1:2.0.2-
Version table:
*** 1:2.0.2-
500 http://
500 http://
100 /var/lib/
2.
500 http://
2.
500 http://
1.
500 http://
500 http://
$ JUJU_STARTUP_
juju bootstrap --config=
output attached in boot.log
tags: | added: lxd lxd-provider |
Changed in juju: | |
status: | New → Triaged |
importance: | Undecided → Wishlist |
I would like to see an additional configuration item added that would allow you to accept a self-signed certificate for the simplestreams mirror url, or some mechanism to allow adding the certificate per the developer's preference.