Ubuntu
python-httplib2 package

Bug #1906720
Activity log

Activity log for bug #1906720

Date	Who	What changed	Old value	New value	Message
2020-12-03 20:45:31	Jorge Niedbalski	bug			added bug
2020-12-03 20:45:46	Jorge Niedbalski	nominated for series		Ubuntu Focal
2020-12-03 20:45:46	Jorge Niedbalski	bug task added		python-httplib2 (Ubuntu Focal)
2020-12-03 20:45:46	Jorge Niedbalski	nominated for series		Ubuntu Bionic
2020-12-03 20:45:46	Jorge Niedbalski	bug task added		python-httplib2 (Ubuntu Bionic)
2020-12-03 20:45:46	Jorge Niedbalski	nominated for series		Ubuntu Hirsute
2020-12-03 20:45:46	Jorge Niedbalski	bug task added		python-httplib2 (Ubuntu Hirsute)
2020-12-03 20:45:46	Jorge Niedbalski	nominated for series		Ubuntu Groovy
2020-12-03 20:45:46	Jorge Niedbalski	bug task added		python-httplib2 (Ubuntu Groovy)
2020-12-03 20:45:55	Jorge Niedbalski	python-httplib2 (Ubuntu Hirsute): status	New	Fix Released
2020-12-03 20:45:59	Jorge Niedbalski	python-httplib2 (Ubuntu Groovy): status	New	Fix Released
2020-12-03 20:46:02	Jorge Niedbalski	python-httplib2 (Ubuntu Focal): status	New	Fix Released
2020-12-03 20:46:08	Jorge Niedbalski	python-httplib2 (Ubuntu Bionic): status	New	Confirmed
2020-12-04 14:45:41	Heather Lemon	python-httplib2 (Ubuntu Bionic): assignee		Heather Lemon (hypothetical-lemon)
2020-12-04 14:45:44	Heather Lemon	python-httplib2 (Ubuntu Groovy): assignee		Heather Lemon (hypothetical-lemon)
2020-12-04 14:45:46	Heather Lemon	python-httplib2 (Ubuntu Hirsute): assignee		Heather Lemon (hypothetical-lemon)
2020-12-04 14:45:49	Heather Lemon	python-httplib2 (Ubuntu Focal): assignee		Heather Lemon (hypothetical-lemon)
2020-12-15 14:47:34	Heather Lemon	python-httplib2 (Ubuntu Bionic): status	Confirmed	In Progress
2020-12-15 22:44:34	Heather Lemon	description	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1820083 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) # install fixed package sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb
2020-12-15 22:50:38	Heather Lemon	attachment added		python-httplib2-bionic-lp1906720.debdiff https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5443988/+files/python-httplib2-bionic-lp1906720.debdiff
2020-12-15 23:13:02	Heather Lemon	python-httplib2 (Ubuntu Bionic): importance	Undecided	Medium
2020-12-16 17:27:57	Heather Lemon	bug			added subscriber Ubuntu Sponsors Team
2020-12-16 17:28:20	Heather Lemon	removed subscriber Ubuntu Sponsors Team
2020-12-16 17:29:03	Heather Lemon	bug			added subscriber STS Sponsors
2020-12-16 19:02:15	Eric Desrochers	bug			added subscriber Eric Desrochers
2020-12-16 21:06:55	Heather Lemon	description	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1820083 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) # install fixed package sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1820083 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) # install fixed package sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb
2020-12-16 21:37:58	Heather Lemon	description	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1820083 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) # install fixed package sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1820083 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) # install fixed package sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb
2020-12-16 21:41:14	Heather Lemon	description	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1820083 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) # install fixed package sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. Also please make note of the 2 packages. One is for Python2 the other Python3 Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1820083 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) # install fixed package sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb
2020-12-16 23:10:02	Heather Lemon	attachment removed	python-httplib2-bionic-lp1906720.debdiff https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5443988/+files/python-httplib2-bionic-lp1906720.debdiff
2020-12-16 23:10:34	Heather Lemon	attachment added		python-httplib2-bionic-lp1906720.debdiff https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5444323/+files/python-httplib2-bionic-lp1906720.debdiff
2021-01-19 20:23:59	Dan Streetman	tags		sts sts-sponsor-ddstreet
2021-01-19 22:18:36	Dan Streetman	attachment added		lp1906720-b.debdiff https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+attachment/5454694/+files/lp1906720-b.debdiff
2021-01-20 07:57:48	Robie Basak	python-httplib2 (Ubuntu Bionic): status	In Progress	Incomplete
2021-01-20 16:41:16	Heather Lemon	description	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. Also please make note of the 2 packages. One is for Python2 the other Python3 Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1820083 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) # install fixed package sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. Also please make note of the 2 packages. One is for Python2 the other Python3 Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) # install fixed package sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb
2021-01-20 20:24:31	Heather Lemon	attachment added		python-httplib2-bionic-lp1906720.debdiff https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+attachment/5454956/+files/python-httplib2-bionic-lp1906720.debdiff
2021-01-20 22:13:27	Heather Lemon	description	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. Also please make note of the 2 packages. One is for Python2 the other Python3 Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) # install fixed package sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. Also please make note of the 2 packages. One is for Python2 the other Python3 Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Where Issues Could Occur] They moved the if check for using `--insecure` when connecting further down. This issue is going into holding as we need to discuss if MAAS can monkey patch it.
2021-01-21 15:06:08	Heather Lemon	bug task added		maas (Ubuntu)
2021-01-21 16:37:56	Heather Lemon	description	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. Also please make note of the 2 packages. One is for Python2 the other Python3 Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Where Issues Could Occur] They moved the if check for using `--insecure` when connecting further down. This issue is going into holding as we need to discuss if MAAS can monkey patch it.	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. Also please make note of the 2 packages. One is for Python2 the other Python3 Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Where Issues Could Occur] Potential issues could happen if we disable certificate validation for all ssl interactions, any connection https related. This will not break exsiting python3 versions. This does not affect any python2x versions.
2021-01-21 17:03:54	Heather Lemon	attachment added		Screenshot from 2020-12-15 12-48-12.png https://bugs.launchpad.net/ubuntu/+source/maas/+bug/1906720/+attachment/5455213/+files/Screenshot%20from%202020-12-15%2012-48-12.png
2021-01-24 17:50:03	Heather Lemon	description	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. Also please make note of the 2 packages. One is for Python2 the other Python3 Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Where Issues Could Occur] Potential issues could happen if we disable certificate validation for all ssl interactions, any connection https related. This will not break exsiting python3 versions. This does not affect any python2x versions.	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 MAAS - 2.8.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. Also please make note of the 2 packages. One is for Python2 the other Python3 Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # TODO: add setup for ngnix config # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Where Issues Could Occur] Potential issues could happen if we disable certificate validation for all ssl interactions, any connection https related. This will not break exsiting python3 versions. This does not affect any python2x versions.
2021-01-24 22:56:21	Mathew Hodson	bug task deleted	maas (Ubuntu)
2021-01-24 22:56:34	Mathew Hodson	bug task deleted	maas (Ubuntu Bionic)
2021-01-24 22:56:40	Mathew Hodson	bug task deleted	maas (Ubuntu Focal)
2021-01-24 22:56:46	Mathew Hodson	bug task deleted	maas (Ubuntu Groovy)
2021-01-24 22:56:52	Mathew Hodson	bug task deleted	maas (Ubuntu Hirsute)
2021-01-24 23:29:02	Mathew Hodson	description	[Environment] Bionic python3-httplib2 \| 0.9.2+dfsg-1ubuntu0.2 MAAS - 2.8.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l \| grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. Also please make note of the 2 packages. One is for Python2 the other Python3 Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # TODO: add setup for ngnix config # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Where Issues Could Occur] Potential issues could happen if we disable certificate validation for all ssl interactions, any connection https related. This will not break exsiting python3 versions. This does not affect any python2x versions.	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))
2021-01-24 23:29:20	Mathew Hodson	python-httplib2 (Ubuntu Bionic): status	Incomplete	In Progress
2021-01-24 23:32:35	Mathew Hodson	description	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))
2021-01-24 23:49:07	Heather Lemon	attachment added		Screenshot from 2021-01-24 16-48-21.png https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5456434/+files/Screenshot%20from%202021-01-24%2016-48-21.png
2021-01-24 23:49:35	Heather Lemon	attachment added		Screenshot from 2021-01-24 16-36-07.png https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5456435/+files/Screenshot%20from%202021-01-24%2016-36-07.png
2021-01-24 23:52:32	Heather Lemon	attachment added		maas-login.sh https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5456436/+files/maas-login.sh
2021-01-24 23:53:01	Heather Lemon	attachment added		https-maas-login.sh https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5456437/+files/https-maas-login.sh
2021-01-25 14:21:32	Dan Streetman	tags	sts sts-sponsor-ddstreet	sts sts-sponsor-slashd
2021-01-25 15:16:03	Heather Lemon	description	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip))	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot ngnix if you see this message )
2021-01-25 15:16:30	Heather Lemon	description	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot ngnix if you see this message )	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot ngnix if you see this message )
2021-01-25 15:52:14	Heather Lemon	description	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot ngnix if you see this message )	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot ngnix if you see this message )
2021-01-25 16:32:17	Heather Lemon	attachment added		Screenshot from 2021-01-25 09-31-14.png https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5456688/+files/Screenshot%20from%202021-01-25%2009-31-14.png
2021-01-25 16:37:59	Heather Lemon	description	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot ngnix if you see this message )	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb both are build from the same source package helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates [1] # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot nginx if you see this message ) [1] https://itectec.com/ubuntu/ubuntu-how-to-install-a-root-certificate/
2021-01-26 14:28:19	Eric Desrochers	python-httplib2 (Ubuntu Focal): assignee	Heather Lemon (hypothetical-lemon)
2021-01-26 14:28:20	Eric Desrochers	python-httplib2 (Ubuntu Groovy): assignee	Heather Lemon (hypothetical-lemon)
2021-01-26 14:28:22	Eric Desrochers	python-httplib2 (Ubuntu Hirsute): assignee	Heather Lemon (hypothetical-lemon)
2021-02-08 20:24:06	Heather Lemon	tags	sts sts-sponsor-slashd	sts sts-sponsor-slashd verification-done-bionic
2021-02-08 22:14:19	Heather Lemon	description	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb both are build from the same source package helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates [1] # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot nginx if you see this message ) [1] https://itectec.com/ubuntu/ubuntu-how-to-install-a-root-certificate/	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb both are build from the same source package helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates [1] # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot nginx if you see this message ) [1] https://itectec.com/ubuntu/ubuntu-how-to-install-a-root-certificate/ [VERIFICATION DONE] I have followed the outline in the reproducer steps. Saw that the issue was resolved with the fix. No errors were thrown in the logs, was able to login with maas-cli over https. (The gui also worked) Also updated a [Where problems could occur] section.
2021-02-09 15:38:26	Heather Lemon	description	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb both are build from the same source package helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates [1] # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot nginx if you see this message ) [1] https://itectec.com/ubuntu/ubuntu-how-to-install-a-root-certificate/ [VERIFICATION DONE] I have followed the outline in the reproducer steps. Saw that the issue was resolved with the fix. No errors were thrown in the logs, was able to login with maas-cli over https. (The gui also worked) Also updated a [Where problems could occur] section.	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb both are build from the same source package helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey [Test Case] # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates [1] # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot nginx if you see this message ) [1] https://itectec.com/ubuntu/ubuntu-how-to-install-a-root-certificate/ [VERIFICATION DONE] I have followed the outline in the reproducer steps. Saw that the issue was resolved with the fix. No errors were thrown in the logs, was able to login with maas-cli over https. (The gui also worked) Also updated a [Where problems could occur] section.
2021-02-09 15:39:01	Heather Lemon	description	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where problems could occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb both are build from the same source package helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey [Test Case] # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates [1] # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot nginx if you see this message ) [1] https://itectec.com/ubuntu/ubuntu-how-to-install-a-root-certificate/ [VERIFICATION DONE] I have followed the outline in the reproducer steps. Saw that the issue was resolved with the fix. No errors were thrown in the logs, was able to login with maas-cli over https. (The gui also worked) Also updated a [Where problems could occur] section.	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where Problems Could Occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb both are build from the same source package helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey [Test Case] # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates [1] # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot nginx if you see this message ) [1] https://itectec.com/ubuntu/ubuntu-how-to-install-a-root-certificate/ [VERIFICATION DONE] I have followed the outline in the reproducer steps. Saw that the issue was resolved with the fix. No errors were thrown in the logs, was able to login with maas-cli over https. (The gui also worked) Also updated a [Where problems could occur] section.
2021-02-09 16:53:50	Eric Desrochers	tags	sts sts-sponsor-slashd verification-done-bionic	sts verification-done-bionic
2021-02-09 21:42:56	Brian Murray	tags	sts verification-done-bionic	sts
2021-02-09 21:43:03	Brian Murray	python-httplib2 (Ubuntu Bionic): status	In Progress	Fix Committed
2021-02-09 21:43:06	Brian Murray	bug			added subscriber Ubuntu Stable Release Updates Team
2021-02-09 21:43:09	Brian Murray	bug			added subscriber SRU Verification
2021-02-09 21:43:14	Brian Murray	tags	sts	sts verification-needed verification-needed-bionic
2021-02-10 13:24:52	Mauricio Faria de Oliveira	bug			added subscriber Mauricio Faria de Oliveira
2021-02-17 14:17:10	Heather Lemon	tags	sts verification-needed verification-needed-bionic	sts verification-done-bionic verification-needed
2021-02-18 10:03:21	Łukasz Zemczak	tags	sts verification-done-bionic verification-needed	sts verification-needed verification-needed-bionic
2021-02-18 15:27:49	Heather Lemon	description	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where Problems Could Occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb both are build from the same source package helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey [Test Case] # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates [1] # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot nginx if you see this message ) [1] https://itectec.com/ubuntu/ubuntu-how-to-install-a-root-certificate/ [VERIFICATION DONE] I have followed the outline in the reproducer steps. Saw that the issue was resolved with the fix. No errors were thrown in the logs, was able to login with maas-cli over https. (The gui also worked) Also updated a [Where problems could occur] section.	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where Problems Could Occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb both are build from the same source package helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey [Test Case] # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates [1] # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot nginx if you see this message ) [1] https://itectec.com/ubuntu/ubuntu-how-to-install-a-root-certificate/ [VERIFICATION DONE] #purge python-httlib2 dpkg -l python-httplib2 \| cat sudo apt-get remove python-httplib2 # enable proposed pocket via update manager apt-get install python-httplib2 package version installed: 0.9.2+dfsg-1ubuntu0.3 # Follow test case steps I have followed the outline in the test steps. Saw that the issue was resolved with the fix. I was able to login to maas-cli via https No errors were thrown in the logs when accessing https via maas-cli located here: /var/log/ngnix/error.log. (The gui also worked)
2021-02-18 15:29:03	Heather Lemon	description	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where Problems Could Occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb both are build from the same source package helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey [Test Case] # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates [1] # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot nginx if you see this message ) [1] https://itectec.com/ubuntu/ubuntu-how-to-install-a-root-certificate/ [VERIFICATION DONE] #purge python-httlib2 dpkg -l python-httplib2 \| cat sudo apt-get remove python-httplib2 # enable proposed pocket via update manager apt-get install python-httplib2 package version installed: 0.9.2+dfsg-1ubuntu0.3 # Follow test case steps I have followed the outline in the test steps. Saw that the issue was resolved with the fix. I was able to login to maas-cli via https No errors were thrown in the logs when accessing https via maas-cli located here: /var/log/ngnix/error.log. (The gui also worked)	[Impact] * On Bionic, MAAS CLI fails to work with apis over https with self-signed certificates due to broken disable_ssl_certificate_validation option with python 3.5 and later. [Steps to Reproduce] 1. prepare a maas server (it doesn't have to be HA to reproduce) 2. prepare a set of certificate, key and ca-bundle 3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` 4. add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates 5. login with a new profile over https url 6. if the certificate is not trusted by the root store, it fails to login 7. adding the '--insecure' flag should disable the certificate check [Where Problems Could Occur] * Potential issues could happen if we disable certificate validation for all TLS interactions, any connection https related. * Should not break existing python3 versions. * Should not affect previously working python2 versions. [Other Info] This change should fix the issue with python3, and you should be able to connect with python2 as before. python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb both are build from the same source package helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey [Test Case] # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v localhost.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates [1] # select yes with spacebar # save and it will reload with 1 new certificate # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # setup nginx proxy sudo apt update sudo apt install nginx touch /etc/nginx/sites-available/maas-https-default # contents of maas-https-default server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } sudo service nginx restart # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log \| grep "Python-http" i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) [Other] HTTPSConnectionPool(host='127.0.0.1', port=443): Max retries exceeded with url: /MAAS/api/2.0/account/?op=create_authorisation_token (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f7ad3d91048>: Failed to establish a new connection: [Errno 111] Connection refused',)) ( reboot nginx if you see this message ) [1] https://itectec.com/ubuntu/ubuntu-how-to-install-a-root-certificate/ [VERIFICATION DONE] #purge python-httlib2 dpkg -l python-httplib2 \| cat sudo apt-get remove python-httplib2 # maas version used 2.4.2 # enable proposed pocket via update manager apt-get install python-httplib2 package version installed: 0.9.2+dfsg-1ubuntu0.3 # Follow test case steps I have followed the outline in the test steps. Saw that the issue was resolved with the fix. I was able to login to maas-cli via https No errors were thrown in the logs when accessing https via maas-cli located here: /var/log/ngnix/error.log. (The gui also worked)
2021-02-20 17:59:38	Heather Lemon	tags	sts verification-needed verification-needed-bionic	sts verification-done-bionic verification-needed
2021-02-22 09:59:20	Launchpad Janitor	python-httplib2 (Ubuntu Bionic): status	Fix Committed	Fix Released
2021-02-22 09:59:25	Łukasz Zemczak	removed subscriber Ubuntu Stable Release Updates Team

Ubuntupython-httplib2 package

Activity log for bug #1906720

Ubuntu
python-httplib2 package