Canonical Juju

No mechanism exists to trust self-signed https metadata mirror.

Bug #1655147 reported by Adam Blomberg on 2017-01-09

This bug affects 6 people

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Expired	Wishlist	Unassigned

Bug Description

While trying to set up a demo of juju 2 on an isolated network, I found it impossible to obtain lxd images during bootstrap from a simplestreams mirror of https://cloud-images.ubuntu.com/releases/.

The apache2 server I'm using for the mirror has a self-signed certificate.

The bootstrap fails after reporting that no valid image is available on my simplestreams mirror, and a wireshark capture shows a failed tls 1.2 handshake with alert message "Fatal: Bad Certificate (42)."

$ apt-cache policy juju
juju:
  Installed: 1:2.0.2-0ubuntu1~16.10.1~juju1
  Candidate: 1:2.0.2-0ubuntu1~16.10.1~juju1
  Version table:
*** 1:2.0.2-0ubuntu1~16.10.1~juju1 500
        500 http://ppa.launchpad.net/juju/stable/ubuntu yakkety/main amd64 Packages
        500 http://ppa.launchpad.net/juju/stable/ubuntu yakkety/main i386 Packages
        100 /var/lib/dpkg/status
     2.0.0-0ubuntu0.16.10.3 500
        500 http://us.archive.ubuntu.com/ubuntu yakkety-updates/main amd64 Packages
     2.0~rc3-0ubuntu4.16.10.1 500
        500 http://us.archive.ubuntu.com/ubuntu yakkety/main amd64 Packages
     1.25.6-0ubuntu1~16.10.1~juju1 500
        500 http://ppa.launchpad.net/juju/stable/ubuntu yakkety/main amd64 Packages
        500 http://ppa.launchpad.net/juju/stable/ubuntu yakkety/main i386 Packages

$ JUJU_STARTUP_LOGGING_CONFIG=TRACE \
juju bootstrap --config=./local_mirror.yaml --debug localhost yggdrasil 2>&1 | tee boot.log

output attached in boot.log

Tags:

Revision history for this message

Adam Blomberg (paradox606) wrote on 2017-01-09:

failed output of bootstrap command Edit (24.9 KiB, text/plain)

Revision history for this message

Adam Blomberg (paradox606) wrote on 2017-01-09:

bootstrap configuration file pointing to local agent and image mirrors Edit (150 bytes, text/plain)

Revision history for this message

Adam Blomberg (paradox606) wrote on 2017-01-09:

I would like to see an additional configuration item added that would allow you to accept a self-signed certificate for the simplestreams mirror url, or some mechanism to allow adding the certificate per the developer's preference.

Revision history for this message

Adam Blomberg (paradox606) wrote on 2017-01-09:

This limitation makes it impossible for users in isolated environments to use the lxd provider with juju if they do not have a commercial ssl server available for the simplestreams mirror.

Adam Blomberg (paradox606) on 2017-01-09

tags:

added: lxd lxd-provider

Anastasia (anastasia-macmood) on 2017-01-11

Changed in juju:
status:	New → Triaged
importance:	Undecided → Wishlist

Revision history for this message

Canonical Juju QA Bot (juju-qa-bot) wrote on 2022-11-03:

This bug has not been updated in 5 years, so we're marking it Expired. If you believe this is incorrect, please update the status.

Changed in juju:
status:	Triaged → Expired
tags:	added: expirebugs-bot

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.