We worked out the issue is that bash strips the trailing newlines from "--config ca-cert=$(cat ./foo.pem)"
And then juju just concatenates the two files when parsing it, but you end up with:
The workaround is to
a) Patch juju with:
diff --git a/pki/authority.go b/pki/authority.go
index 9d812540d5..b255dc9495 100644
--- a/pki/authority.go
+++ b/pki/authority.go
@@ -236,7 +236,10 @@ func NewDefaultAuthorityPem(pemBlock []byte) (*DefaultAuthority, error) {
// pem ca and key. Returns error if the supplied cert is not a ca or passing of
// the pem data fails.
func NewDefaultAuthorityPemCAKey(caPem, keyPem []byte) (*DefaultAuthority, error) {
- return NewDefaultAuthorityPem(append(caPem, keyPem...))
+ combined := append(caPem, []byte("\n\n")...)
+ combined = append(combined, keyPem...)
+ combined = append(combined, []byte("\n\n")...)
+ return NewDefaultAuthorityPem(combined)
}
or
b) insert a newline at the *start* of the certificate file (it seems bash strips trailing newlines, but not prefixed ones)
c) create a config.yaml with the fields filled out:
$ cat ./config.yaml
ca-cert: |
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgAwIBAgIUVDF76nUFr9DdDbv8+0CGB3Oxsq8wDQYJKoZIhvcNAQEL
...
gjJGfWMpEPARB6VLJA==
-----END CERTIFICATE-----
ca-private-key: |
-----BEGIN PRIVATE KEY-----
MIIJQAIBADANBgkqhkiG9w0BAQEFAASCCSowggkmAgEAAoICAQC46EMKXPP4xdys
...
SvhLa0tEpRcPUvIk6UVTPiWJ290=
-----END PRIVATE KEY-----
$ openssl s_client 10.10.30.62:17070
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = US, ST = FL, L = Gainesville, O = Internet Widgits Pty Ltd, CN = meinel
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C = US, ST = FL, L = Gainesville, O = Internet Widgits Pty Ltd, CN = meinel
...
We worked out the issue is that bash strips the trailing newlines from "--config ca-cert=$(cat ./foo.pem)"
And then juju just concatenates the two files when parsing it, but you end up with:
``` gAwIBAgIUUKjZ. .. ------- --BEGIN PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+
-----END CERTIFICATE-
...
-----END PRIVATE KEY-----
```
The workaround is to .b255dc9495 100644 rityPem( pemBlock []byte) (*DefaultAuthority, error) { rityPemCAKey( caPem, keyPem []byte) (*DefaultAuthority, error) { rityPem( append( caPem, keyPem...)) rityPem( combined)
a) Patch juju with:
diff --git a/pki/authority.go b/pki/authority.go
index 9d812540d5.
--- a/pki/authority.go
+++ b/pki/authority.go
@@ -236,7 +236,10 @@ func NewDefaultAutho
// pem ca and key. Returns error if the supplied cert is not a ca or passing of
// the pem data fails.
func NewDefaultAutho
- return NewDefaultAutho
+ combined := append(caPem, []byte("\n\n")...)
+ combined = append(combined, keyPem...)
+ combined = append(combined, []byte("\n\n")...)
+ return NewDefaultAutho
}
or
b) insert a newline at the *start* of the certificate file (it seems bash strips trailing newlines, but not prefixed ones)
c) create a config.yaml with the fields filled out: wIBAgIUVDF76nUF r9DdDbv8+ 0CGB3Oxsq8wDQYJ KoZIhvcNAQEL 6VLJA== gkqhkiG9w0BAQEF AASCCSowggkmAgE AAoICAQC46EMKXP P4xdys vIk6UVTPiWJ290=
$ cat ./config.yaml
ca-cert: |
-----BEGIN CERTIFICATE-----
MIIFqTCCA5GgA
...
gjJGfWMpEPARB
-----END CERTIFICATE-----
ca-private-key: |
-----BEGIN PRIVATE KEY-----
MIIJQAIBADANB
...
SvhLa0tEpRcPU
-----END PRIVATE KEY-----
$ juju bootstrap lxd --debug --config ./config.yaml
$ openssl s_client 10.10.30.62:17070 19:self- signed certificate in certificate chain
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = US, ST = FL, L = Gainesville, O = Internet Widgits Pty Ltd, CN = meinel
verify error:num=
verify return:1
depth=1 C = US, ST = FL, L = Gainesville, O = Internet Widgits Pty Ltd, CN = meinel
...