Ubuntu
sosreport package

upload options do not support local SSL urls nor self-signed certificates

Bug #1901786 reported by David A. Desrosiers
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sosreport (Ubuntu)
Incomplete
Medium
Unassigned
Ubuntu ubuntu-20.04.1

Bug Description

The current versions of sosreport (3.9 on Bionic and 4.0 on Focal) do not appear to support passing the --upload-url to a non-Canonical URL, for example a LAN-side host to collect those sosreports.

   sudo sosreport --batch -o pci --upload --upload-url=https://10.0.1.112/sos/

This results in the error of:

   Your sosreport has been generated and saved in:
     /tmp/sosreport-autosos-2020-10-27-chnzdgv.tar.xz

    Size 7.04KiB
    Owner root
    md5 3095adb8d50728e477ee2fecd056296f

   Please send this file to your support representative.

   Upload attempt failed: No upload destination provided by policy or by --upload-url

Additionally, when configuring a reproducer (nginx configured with SSL + PUT support), sosreport appears to ignore that endpoint, and fails with:

   Upload attempt failed: No upload destination provided by policy or by --upload-url

Updating the `/usr/lib/python3/dist-packages/sos/policies/ubuntu.py` file to hard-code the internal, self-signed SSL URI (_upload_url), produces the following error when attempted:

   Upload attempt failed: HTTPSConnectionPool(host='10.0.1.112', port=443): Max retries exceeded with url: /sosreport-autosos-focal-2020-10-27-ocmbmws.tar.xz (Caused by SSLError(SSLError("bad handss_process_server_certificate', 'certificate verify failed')])")))

There does not appear to be a way to tell sosreport to ignore a self-signed certificate, or ignore verification of that certificate, even when it's correctly imported into /usr/local/share/ca-certificates/ and added to the client cert chain.

There is a temporary workaround, using curl to directly push that file to the nginx endpoint, using:

   sudo curl -k -T sosreport-autosos-focal-2020-10-27-tugrwdk.tar.xz https://10.0.1.112/

But sosreport itself, does not appear to support custom URLs, nor self-signed certificates.

Tags: seg sts
Revision history for this message
David A. Desrosiers (setuid) wrote :

This appears to be fixed in upstream github master branch. There are varying levels of issues with DAV on nginx accepting the PUT over SSL from sosreport, but that's unrelated to sosreport itself.

Revision history for this message
David A. Desrosiers (setuid) wrote :

Disregard the previous, I was on the wrong local branch. This is _not_ fixed upstream, but this small patch adds the missing functionality to make this work:

```
diff --git a/sos/policies/ubuntu.py b/sos/policies/ubuntu.py
index 8ec765e4..2b913669 100644
--- a/sos/policies/ubuntu.py
+++ b/sos/policies/ubuntu.py
@@ -3,7 +3,6 @@ from sos.policies.debian import DebianPolicy

 import os

-
 class UbuntuPolicy(DebianPolicy):
     distro = "Ubuntu"
     vendor = "Canonical"
@@ -62,8 +61,10 @@ class UbuntuPolicy(DebianPolicy):
             return self.get_upload_url()

     def get_upload_url(self):
+ fname = os.path.basename(self.upload_archive)
+ if self.commons['cmdlineopts'].upload_url:
+ return self.commons['cmdlineopts'].upload_url + fname
         if not self.upload_url or self.upload_url.startswith(self._upload_url):
- fname = os.path.basename(self.upload_archive)
             return self._upload_url + fname
         super(UbuntuPolicy, self).get_upload_url()
```

Revision history for this message
Eric Desrochers (slashd) wrote :

Could you try using latest sos HEAD commit ? and if still the same problem, submit your fix to the sos maintainer ?

Then we could work on the backport to fix that particular issue and other that I have on my list for 4.1.

- Eric

tags: added: seg sts
Changed in sosreport (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Revision history for this message
Eric Desrochers (slashd) wrote :

sos upstream discussion:
https://github.com/sosreport/sos/issues/2497

Revision history for this message
Eric Desrochers (slashd) wrote :

This has been fixed here[0]

@setuid, would you like a testpkg to test with your reproducer ?
If yes, please let me know the release you need to test from.

Otherwise, you, can also git clone the upstream repo and run sos manually from there.

It's up to you.

- Eric

[0] https://github.com/sosreport/sos/commit/63817ba9dae2cb64b21ab59279def64572a6459a

Eric Desrochers (slashd)
Changed in sosreport (Ubuntu):
status: Confirmed → Won't Fix
status: Won't Fix → Incomplete
Revision history for this message
Arif Ali (arif-ali) wrote :

David, did you test the fix here, and has it resolved the issue for you?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.