^/repository urls should not redirect to https
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Landscape Charm |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
When using repository management in Landscape and associating a computer with a repository profile, that computer will get http://<landscape-
With the way we deploy the frontend (haproxy in this case), though, http plaintext connections that do not start with /ping are transformed into https. apt will follow this redirect, and try to establish an https connection. If the CA that signed the server is unknown, it will fail:
"""
Err http://
server certificate verification failed. CAfile: /etc/ssl/
...
W: Failed to fetch http://
"""
Note how the error can be confusing: the url apt is showing is an HTTP (non-SSL) one, yet it's complaining about a certificate validation problem.
I changed the haproxy.cfg file like below, and apt worked again with this server:
--- /etc/haproxy/
+++ /etc/haproxy/
@@ -37,13 +37,14 @@
frontend haproxy-1-80
bind 0.0.0.0:80
default_
mode http
timeout client 300000
acl ping path_beg -i /ping
- redirect scheme https unless ping
+ acl repository path_beg -i /repository
+ redirect scheme https unless ping OR repository
use_backend landscape-ping if ping
backend landscape-http
mode http
timeout server 300000
balance leastconn
This has been happening since the introduction of the new charm way back. The reasons it was never caught before are:
a) robot tests, which exercise repository management with a real client, deploy quickstart with our old apache template, which kept the /repository URLs as http
b) manual testing, which just exercised the repository management API, not with real clients running apt-get against it
Related branches
- Chad Smith: Approve
- Francis Ginther (community): Approve
- 🤖 Landscape Builder: Approve (test results)
-
Diff: 27 lines (+4/-2)2 files modifiedlib/relations/haproxy.py (+2/-1)
lib/relations/tests/test_haproxy.py (+2/-1)
tags: | removed: kanban |
Changed in landscape-charm: | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
status: | New → In Progress |
description: | updated |
Changed in landscape-charm: | |
status: | In Progress → Fix Committed |
Changed in landscape-charm: | |
status: | Fix Committed → Fix Released |
Hmm, I think this is going the wrong way.
We *should* be using TLS, and give the correct URL to the clients that are pulling packages from us. Getting the correct cert on their computers is a separate problem, which should be tackled.