juju 2.1 issues certificates with wrong DNS alternative names on juju upgrade.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical Juju |
Fix Released
|
High
|
José Pekkarinen | ||
2.2 |
Fix Released
|
High
|
José Pekkarinen |
Bug Description
Hi,
On an environment were juju HA was 2.1.2 version, executing an upgrade to juju 2.1.3, rendered on the secondary nodes not being able to connect to local mongodb:
2017-08-15 13:58:13 DEBUG juju.mongo open.go:144 dialled mongodb server at "127.0.0.1:37017"
2017-08-15 13:58:14 DEBUG juju.mongo open.go:144 dialled mongodb server at "127.0.0.1:37017"
2017-08-15 13:58:15 DEBUG juju.mongo open.go:144 dialled mongodb server at "127.0.0.1:37017"
2017-08-15 13:58:16 DEBUG juju.mongo open.go:144 dialled mongodb server at "127.0.0.1:37017"
2017-08-15 13:58:17 DEBUG juju.mongo open.go:144 dialled mongodb server at "127.0.0.1:37017"
2017-08-15 13:58:18 DEBUG juju.mongo open.go:144 dialled mongodb server at "127.0.0.1:37017"
2017-08-15 13:58:18 DEBUG juju.worker.
2017-08-15 13:58:18 ERROR juju.worker.
2017-08-15 13:58:21 DEBUG juju.cmd.jujud machine.go:1402 mongo is already initialized
2017-08-15 13:58:21 INFO juju.state open.go:121 opening state, mongo addresses: ["localhost:
Reading the certificate, I can see:
# openssl x509 -text -noout -in /var/lib/
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEn
Issuer: O=juju, CN=juju-generated CA for model "juju-ca"
Validity
...
X509v3 Subject Alternative Name:
...
Then the api-server won't start:
# lsof -i | grep LISTEN
sshd 4541 root 3u IPv4 44323 0t0 TCP *:ssh (LISTEN)
mongod 33430 root 6u IPv4 123993 0t0 TCP *:37017 (LISTEN)
And juju status won't notice about it:
$ juju status -m controller
Model Controller Cloud/Region Version
controller mycontroller myregion 2.1.3.1
App Version Status Scale Charm Store Rev OS Notes
Unit Workload Agent Machine Public address Ports Message
Machine State DNS Inst id Series AZ
0 started <valid-ip-address> <maas.machine.name> xenial AZ1
5 started <valid-ip-address> <maas.machine.name> xenial AZ2
9 started <valid-ip-address> <maas.machine.name> xenial AZ3
This is addressed in the following PR:
https:/
PR against 2.2:
https:/
Thanks!
José.
description: | updated |
affects: | juju-core → juju |
Changed in juju: | |
importance: | Undecided → High |
status: | New → Triaged |
milestone: | none → 2.3-alpha1 |
assignee: | nobody → José Pekkarinen (jose-pekkarinen) |
description: | updated |
tags: | added: 4010 |
tags: | added: cpe-onsite |
Changed in juju: | |
milestone: | 2.3-beta1 → 2.3-beta2 |
Changed in juju: | |
milestone: | 2.3-beta2 → 2.3-beta1 |
Changed in juju: | |
status: | Fix Committed → Fix Released |
The fix seems like something worth landing, though that particular bug has been present since 1.23. So it isn't something that is wrong 'just now'.
I think we need to figure out what the more underlying issue is.
It may be that something was broken in 2.1.3 that started connecting to 'localhost' instead of connecting to 'juju-mongodb'.
The concern is that while this patch does look like a genuinely correct fix, that doesn't mean that by itself it will actually fix the problem with connecting to the replica set. (And it also may not be the *correct* fix as we should probably be trying to address the local mongo as juju-mongodb instead of 'localhost'.)