MAAS

CERTIFICATE_VERIFY_FAILED will occur when using 'maas configauth' with snap env

Bug #1887104 reported by Hua Zhang
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MAAS
Expired
Medium
Unassigned

Bug Description

When you use snap instead of debian to install maas, CERTIFICATE_VERIFY_FAILED will occur when running 'maas configauth --rbac-url https://node1.lan:5000/ --rbac-service-name maastest'. That's because of one python-requests bug [1], some python versions fix it, some don't.

1, debian way will use /usr/lib/python3/dist-packages/certifi/core.py, this bug has been fixed.

# grep -r '__main__' /usr/lib/python3/dist-packages/requests/certs.py -A 1
if __name__ == '__main__':
    print(where())
# grep -r 'def where' /usr/lib/python3/dist-packages/certifi/core.py -A 1
def where():
    return "/etc/ssl/certs/ca-certificates.crt"

2, snap way will use /snap/maas/current/lib/python3.6/site-packages/certifi/core.py, this bug has not been fixed so the ca /snap/maas/current/lib/python3.6/site-packages/certifi/cacert.pem is used rather than /etc/ssl/certs/ca-certificates.crt

# grep -r '__main__' /snap/maas/current/lib/python3.6/site-packages/requests/certs.py -A 1
if __name__ == '__main__':
    print(where())
vim /snap/maas/current/lib/python3.6/site-packages/certifi/core.py
try:
    def where():
        ...
        if _CACERT_PATH is None:
            ...
            _CACERT_CTX = get_path("certifi", "cacert.pem")
            _CACERT_PATH = str(_CACERT_CTX.__enter__())
        return _CACERT_PATH
except ImportError:
    # This fallback will work for Python versions prior to 3.7 that lack the
    # importlib.resources module but relies on the existing `where` function
    # so won't address issues with environments like PyOxidizer that don't set
    # __file__ on modules.
    def read_text(_module, _path, encoding="ascii"):
        with open(where(), "r", encoding=encoding) as data:
            return data.read()

So the variable REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt should be set into enrion inside maas snap container, just like crbs(canonical-rbac) does in the commit 03a9d37ae4

[1] https://stackoverflow.com/questions/42982143/python-requests-how-to-use-system-ca-certificates-debian-ubuntu/42982144#42982144

Tags: sts
Hua Zhang (zhhuabj)
tags: added: sts
Alberto Donato (ack)
Changed in maas:
status: New → Triaged
importance: Undecided → Medium
Revision history for this message
Jerzy Husakowski (jhusakowski) wrote :

Is this issue still reproducible? There was an underlying issue in snapd that has since been fixed. It would be useful to know if the issue still occurs with e.g. MAAS 3.1 or later.

Changed in maas:
status: Triaged → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for MAAS because there has been no activity for 60 days.]

Changed in maas:
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.