Canonical Livepatch On-Prem

unable to use private CA certificate with contract server

Bug #2064578 reported by Bayani Carbone
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Livepatch On-Prem
Triaged
High
Unassigned

Bug Description

When trying to run the get-resource-token action with an on-prem contract server using a certificate signed by a private CA, the action fails with this exception:

# ./actions/get-resource-token
Failed to retrieve resource token HTTPSConnectionPool(host='contract.example.com', port=443): Max retries exceeded with url: /v1/resources/livepatch-onprem/context/machines/27d546e7ad6e423f91745bcce44a7147 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1007)')))

I believe the issue lies in this piece of code:

https://github.com/canonical/livepatch-server/blob/a20a87cf0afe6f5240783015aa4763af2cf468d7/charms/onprem/lib/charms/layer/livepatchserver/resource.py#L51

def get_resource_token(machine_id, machine_token, contracts_url=DEFAULT_CONTRACTS_URL, proxies=None):
    """
    Retrieve a resource token for the livepatch-onprem
    resource.
    """
    if proxies is not None:
        os.environ['http_proxy'] = proxies.get('http_proxy', '')
        os.environ['https_proxy'] = proxies.get('https_proxy', '')
        os.environ['no_proxy'] = proxies.get('no_proxy', '')

    headers = {'Authorization': 'Bearer {}'.format(machine_token)}
    try:
        req = rsession.get(
            '{}/v1/resources/{}/context/machines/{}'.format(
                contracts_url, RESOURCE_NAME, machine_id),
            headers=headers)
        data = req.json()
        return data
    except requests.exceptions.RequestException:
        print("Failed to retrieve resource token")
        return None
    except KeyError:
        print("Resource token not in contracts response.")
        return None

The python requests module in the charm context is using this CA cert file:
/var/lib/juju/agents/unit-livepatch-0/.venv/lib/python3.10/site-packages/certifi/cacert.pem

Which does not contain any certificates imported via `/usr/local/share/ca-certificates/`.

One option to fix this, would be to expose a config option to set the CA cert file to be used and add the `verify` argument to the `get` call e.g.:

        req = rsession.get(
            '{}/v1/resources/{}/context/machines/{}'.format(
                contracts_url, RESOURCE_NAME, machine_id),
            headers=headers, verify=CA_BUNDLE)

e.g. CA_BUNDLE = '/etc/ssl/certs/ca-certificates.crt'

See original description
Revision history for this message
Kian Parvin (kian-parvin) wrote :

Hi, thanks for the bug report. I've created a ticket to track this issue and we should be able to address it early next week.

Changed in livepatch-onprem:
status: New → Triaged
importance: Undecided → High
Bayani Carbone (bcarbone)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.