juju login on unregistered controller fails with cert errors

Bug #1921557 reported by Garry Lawrence
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju
High
Thomas Miller
2.8
High
Thomas Miller

Bug Description

Steps to reproduce:

Prepare to bootstrap on localhost cloud as usual.
Run bootstrap command, note controller IP address in output
Run juju change-user-password, juju logout, then juju unregister
Run juju login [IP-ADDRESS]:17070 -c test_name --debug

This will prompt the user to decide whether they trust the CA fingerprint on 2.6.x and 2.7.x, debug output from 2.8.x is in an attachment.

Openssl s_client indicates that the CA certificate is not being sent by the controller as part of its cert chain during the TLS handshake.

Revision history for this message
Garry Lawrence (invalidinterrupt) wrote :
Revision history for this message
Garry Lawrence (invalidinterrupt) wrote :

I don't have a build chain for juju set up to test with yet so I can't test my theory, but I haven't found a replacement for the logic removed here: https://github.com/juju/juju/commit/b406e62d560a19ffdf9159189d75866c5ce9a967#diff-42e98acd9986b3325c28156353acadd15911a1442a0018ebc04e7ec42aea25e7L174-L180

description: updated
John A Meinel (jameinel)
Changed in juju:
status: New → Triaged
importance: Undecided → High
milestone: none → 2.9-rc9
assignee: nobody → John A Meinel (jameinel)
assignee: John A Meinel (jameinel) → Thomas Miller (tlmiller)
Thomas Miller (tlmiller)
Changed in juju:
status: Triaged → In Progress
Revision history for this message
Thomas Miller (tlmiller) wrote :

Initial investigation done. The issue looks to be incorrect SNI setting on the TLS connection for the login command.

We will also need to do something about the CA cert coming through for this command. But the initial problem is lack of SNI being sent by the client.

Changed in juju:
milestone: 2.9-rc9 → 2.9-rc10
Revision history for this message
Thomas Miller (tlmiller) wrote :

Thanks for the bug Garry,

Have placed the following PR forward: https://github.com/juju/juju/pull/12854

We will get this released in 2.8 and 2.9.

Ta
tlm

Changed in juju:
status: In Progress → Fix Committed
status: Fix Committed → In Progress
Ian Booth (wallyworld)
Changed in juju:
status: In Progress → Fix Committed
Changed in juju:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments