Canonical Juju

Bug #2038974
Comment #2

Comment 2 for bug 2038974

Revision history for this message

John A Meinel (jameinel) wrote on 2023-10-11:

We worked out the issue is that bash strips the trailing newlines from "--config ca-cert=$(cat ./foo.pem)"
And then juju just concatenates the two files when parsing it, but you end up with:

```
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIUUKjZ...
-----END CERTIFICATE----------BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
```

The workaround is to
a) Patch juju with:
diff --git a/pki/authority.go b/pki/authority.go
index 9d812540d5..b255dc9495 100644
--- a/pki/authority.go
+++ b/pki/authority.go
@@ -236,7 +236,10 @@ func NewDefaultAuthorityPem(pemBlock []byte) (*DefaultAuthority, error) {
// pem ca and key. Returns error if the supplied cert is not a ca or passing of
// the pem data fails.
func NewDefaultAuthorityPemCAKey(caPem, keyPem []byte) (*DefaultAuthority, error) {
- return NewDefaultAuthorityPem(append(caPem, keyPem...))
+ combined := append(caPem, []byte("\n\n")...)
+ combined = append(combined, keyPem...)
+ combined = append(combined, []byte("\n\n")...)
+ return NewDefaultAuthorityPem(combined)
}

or
b) insert a newline at the *start* of the certificate file (it seems bash strips trailing newlines, but not prefixed ones)

c) create a config.yaml with the fields filled out:
$ cat ./config.yaml
ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIFqTCCA5GgAwIBAgIUVDF76nUFr9DdDbv8+0CGB3Oxsq8wDQYJKoZIhvcNAQEL
...
  gjJGfWMpEPARB6VLJA==
  -----END CERTIFICATE-----
ca-private-key: |
  -----BEGIN PRIVATE KEY-----
  MIIJQAIBADANBgkqhkiG9w0BAQEFAASCCSowggkmAgEAAoICAQC46EMKXPP4xdys
...
  SvhLa0tEpRcPUvIk6UVTPiWJ290=
  -----END PRIVATE KEY-----

$ juju bootstrap lxd --debug --config ./config.yaml

$ openssl s_client 10.10.30.62:17070
CONNECTED(00000003)
Can't use SSL_get_servername
depth=1 C = US, ST = FL, L = Gainesville, O = Internet Widgits Pty Ltd, CN = meinel
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 C = US, ST = FL, L = Gainesville, O = Internet Widgits Pty Ltd, CN = meinel
...

We worked out the issue is that bash strips the trailing newlines from "--config ca-cert=$(cat ./foo.pem)"
And then juju just concatenates the two files when parsing it, but you end up with:

```
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIUUKjZ...
-----END CERTIFICATE----------BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
```

The workaround is to
a) Patch juju with:
diff --git a/pki/authority.go b/pki/authority.go
index 9d812540d5..b255dc9495 100644
--- a/pki/authority.go
+++ b/pki/authority.go
@@ -236,7 +236,10 @@ func NewDefaultAuthorityPem(pemBlock []byte) (*DefaultAuthority, error) {
 // pem ca and key. Returns error if the supplied cert is not a ca or passing of
 // the pem data fails.
 func NewDefaultAuthorityPemCAKey(caPem, keyPem []byte) (*DefaultAuthority, error) {
-       return NewDefaultAuthorityPem(append(caPem, keyPem...))
+       combined := append(caPem, []byte("\n\n")...)
+       combined = append(combined, keyPem...)
+       combined = append(combined, []byte("\n\n")...)
+       return NewDefaultAuthorityPem(combined)
 }

or
b) insert a newline at the *start* of the certificate file (it seems bash strips trailing newlines, but not prefixed ones)

c) create a config.yaml with the fields filled out: 
$ cat ./config.yaml
ca-cert: |
  -----BEGIN CERTIFICATE-----
  MIIFqTCCA5GgAwIBAgIUVDF76nUFr9DdDbv8+0CGB3Oxsq8wDQYJKoZIhvcNAQEL
...
  gjJGfWMpEPARB6VLJA==
  -----END CERTIFICATE-----
ca-private-key: |
  -----BEGIN PRIVATE KEY-----
  MIIJQAIBADANBgkqhkiG9w0BAQEFAASCCSowggkmAgEAAoICAQC46EMKXPP4xdys
...
  SvhLa0tEpRcPUvIk6UVTPiWJ290=
  -----END PRIVATE KEY-----
 
$ juju bootstrap lxd --debug --config ./config.yaml