[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
This bug was fixed in the package python-httplib2 - 0.9.2+dfsg- 1ubuntu0.3 --- python-httplib2 (0.9.2+dfsg-1ubuntu0.3) bionic; urgency=medium * d/p/lp1906720-Make-disable_ssl_certificate_validation-work-wit.patch - Fix TLS authentication to MAAS with maas-cli (LP: #1906720) -- Heather Lemon Tue, 15 Dec 2020 13:09:40 -0700 ** Changed in: python-httplib2 (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Awesome! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
updated tag to verification-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
[VERIFICATION DONE]
-
ubuntu series tested: bionic
MAAS name: ubuntu-bionic MAAS
MAAS version: 2.4.2 (7034-g2f5deb8b8-0ubuntu1)
sudo apt-get remove python-httplib2
dpkg -l PKGNAME | cat
sudo apt-get install python-httplib2
package version installed: 0.9.2+dfsg-1ubuntu0.3
sudo apt-get install maas
sudo maas init
-- fill out questions
# create 2 users secure & unsecure
maas createadmin
username: testadmin
username: secureadmin
sudo maas apikey --username=testadmin > api-key-testadmin
sudo maas apikey --username=testadmin > api-key-secureadmin
sudo apt get update
sudo apt-get install nginx
touch /etc/nginx/sites-available/maas-https-default
# copy and paste from here:
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
vim /etc/nginx/sites-available/maas-https-default
# restart ngnix
sudo service nginx restart
# create maas login scripts
touch maas-login.sh
# contents of maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/root/api-key-testadmin
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
touch https-maas-login.sh
# contents of https-maas-login.sh
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/root/api-key-secureadmin
API_SERVER=localhost
MAAS_URL=https://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx maas-login.sh
sud./maas-login.sh o chmod +rwx https-maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
vim maas-https-default
sudo ln -s /etc/nginx/sites-available/maas-https-default
/etc/nginx/sites-enabled
# login to maas with unsecure & secure user
./maas-login.sh
./https-maas-login.sh
# console output
root@ubuntu-bionic:~# ./https-maas-login.sh
You are now logged in to the MAAS server at
https://localhost/MAAS/api/2.0/ with the profile name 'secureadmin'.
For help with the available commands, try:
maas secureadmin --help
root@ubuntu-bionic:~# exit
# reverse sshuttle if needed to check gui login
sshuttle -r root@ 127.0.0.1/0
** Tags removed: verification-needed-bionic
** Tags added: verification-done-bionic
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1906720
Title:
Fix the disable_ssl_certificate_validation option
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Hey, so i didn't know that the verification done needed to a comment as I changed it in the description instead. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed:
[Impact]
* On Bionic, MAAS CLI fails to work with apis over https with self-signed
certificates due to broken disable_ssl_certificate_validation option
with python 3.5 and later.
[Steps to Reproduce]
1. prepare a maas server (it doesn't have to be HA to reproduce)
2. prepare a set of certificate, key and ca-bundle
3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl
restart nginx`
4. add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
5. login with a new profile over https url
6. if the certificate is not trusted by the root store, it fails to login
7. adding the '--insecure' flag should disable the certificate check
[Where Problems Could Occur]
* Potential issues could happen if we disable certificate validation for
all TLS interactions, any connection https related.
* Should not break existing python3 versions.
* Should not affect previously working python2 versions.
[Other Info]
This change should fix the issue with python3, and you should be able
to connect with python2 as before.
python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
*both are build from the same source package
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
[Test Case]
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v localhost.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
[1]
# select yes with spacebar
# save and it will reload with 1 new certificate
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# setup nginx proxy
sudo apt update
sudo apt install nginx
touch /etc/nginx/sites-available/maas-https-default
# contents of maas-https-default
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
sudo service nginx restart
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
# create link
sudo ln -s /etc/nginx/sites-available/maas-https-default
/etc/nginx/sites-enabled
# look at errors
cat /var/log/maas/regiond.log
cat regiond.log | grep "Python-http"
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Ok, autopkgtest failures hinted. That being said: I see the verification tags switched but no verification information present. I'm quite sure proper verification has been performed, but we'd like to have a recording of what testing has been performed and on which package versions as documentation. Then I'd be happy to let it out. Thank you! ** Tags removed: verification-done-bionic ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Thanks for looking into the failures, I'll hint it in. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
the python-oslo.vmware failures are almost certainly the same as bug 1912792 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
and apport/amd64 played tricks on us, but it does pass now. it passed on bionic-updates, which suggests a regression on bionic-proposed; but another rereun with bionic-proposed now passed.. well. it's good now! :) from [1]: 2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.3 2021-02-10 23:43:24 UTC 0h 12m 27s mfo passlog artifacts 2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.2 2021-02-10 23:01:31 UTC 0h 10m 15s mfo passlog artifacts 2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.3 2021-02-10 13:34:34 UTC 0h 13m 01s mfo faillog artifacts 2.20.9-0ubuntu7.23 python-httplib2/0.9.2+dfsg-1ubuntu0.3 2021-02-09 22:41:05 UTC 0h 11m 19s - faillog artifacts [1] https://autopkgtest.ubuntu.com/packages/apport/bionic/amd64 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Thanks Mauricio! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Heather and I discussed the autopkgtests failures today. She's taking a look at fixing python-oslo.vmware, which seems to be a missing Build-Depends: on python module(s) nowadays, because the last time it passed was 2019-03. It was reproducible with autopkgtests-virt-lxd locally. For apport, it seems an interesting one, as it fails on other archs except i386 for a long time, including amd64 but it has recently passed on amd64; thus reported as a regression; but previous errors on other archs sometimes include the failing test. And it's been ~2 months since it last passed, so maybe things changed. Thus I'm rerunning it against python-httplib2 in -updates, to hopefully confirm the failure is not a regression from this upload. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Hello Jorge, or anyone else affected, Accepted python-httplib2 into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/python- httplib2/0.9.2+dfsg-1ubuntu0.3 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Tags removed: verification-done-bionic ** Changed in: python-httplib2 (Ubuntu Bionic) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Tags removed: sts-sponsor-slashd -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed:
[Impact]
* On Bionic, MAAS CLI fails to work with apis over https with self-signed
certificates due to broken disable_ssl_certificate_validation option
with python 3.5 and later.
[Steps to Reproduce]
1. prepare a maas server (it doesn't have to be HA to reproduce)
2. prepare a set of certificate, key and ca-bundle
3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl
restart nginx`
4. add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
5. login with a new profile over https url
6. if the certificate is not trusted by the root store, it fails to login
7. adding the '--insecure' flag should disable the certificate check
[Where problems could occur]
* Potential issues could happen if we disable certificate validation for
all TLS interactions, any connection https related.
* Should not break existing python3 versions.
* Should not affect previously working python2 versions.
[Other Info]
This change should fix the issue with python3, and you should be able
to connect with python2 as before.
python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
*both are build from the same source package
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
+ [Test Case]
+
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v localhost.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
[1]
# select yes with spacebar
# save and it will reload with 1 new certificate
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# setup nginx proxy
sudo apt update
sudo apt install nginx
touch /etc/nginx/sites-available/maas-https-default
# contents of maas-https-default
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
sudo service nginx restart
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
# create link
sudo ln -s /etc/nginx/sites-available/maas-https-default
/etc/nginx/sites-enabled
# look at errors
cat /var/log/maas/regiond.log
cat regiond.log | grep "Python-http"
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Re-tagged as verification-done. Thanks, Heather Lemon -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
@slashd can we get this reviewed this week?
Thank you,
Heather Lemon
** Description changed:
[Impact]
* On Bionic, MAAS CLI fails to work with apis over https with self-signed
certificates due to broken disable_ssl_certificate_validation option
with python 3.5 and later.
[Steps to Reproduce]
1. prepare a maas server (it doesn't have to be HA to reproduce)
2. prepare a set of certificate, key and ca-bundle
3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl
restart nginx`
4. add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
5. login with a new profile over https url
6. if the certificate is not trusted by the root store, it fails to login
7. adding the '--insecure' flag should disable the certificate check
[Where problems could occur]
* Potential issues could happen if we disable certificate validation for
all TLS interactions, any connection https related.
* Should not break existing python3 versions.
* Should not affect previously working python2 versions.
[Other Info]
This change should fix the issue with python3, and you should be able
to connect with python2 as before.
python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
*both are build from the same source package
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v localhost.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
- [1]
+ [1]
# select yes with spacebar
# save and it will reload with 1 new certificate
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# setup nginx proxy
sudo apt update
sudo apt install nginx
touch /etc/nginx/sites-available/maas-https-default
# contents of maas-https-default
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
sudo service nginx restart
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
# create link
sudo ln -s /etc/nginx/sites-available/maas-https-default
/etc/nginx/sites-enabled
# look at errors
cat
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
ready for sru review -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Changed in: python-httplib2 (Ubuntu Focal) Assignee: Heather Lemon (hypothetical-lemon) => (unassigned) ** Changed in: python-httplib2 (Ubuntu Groovy) Assignee: Heather Lemon (hypothetical-lemon) => (unassigned) ** Changed in: python-httplib2 (Ubuntu Hirsute) Assignee: Heather Lemon (hypothetical-lemon) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed:
[Impact]
* On Bionic, MAAS CLI fails to work with apis over https with self-signed
certificates due to broken disable_ssl_certificate_validation option
with python 3.5 and later.
[Steps to Reproduce]
1. prepare a maas server (it doesn't have to be HA to reproduce)
2. prepare a set of certificate, key and ca-bundle
3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl
restart nginx`
4. add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
5. login with a new profile over https url
6. if the certificate is not trusted by the root store, it fails to login
7. adding the '--insecure' flag should disable the certificate check
[Where problems could occur]
* Potential issues could happen if we disable certificate validation for
all TLS interactions, any connection https related.
* Should not break existing python3 versions.
* Should not affect previously working python2 versions.
[Other Info]
This change should fix the issue with python3, and you should be able
to connect with python2 as before.
python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
+ *both are build from the same source package
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v localhost.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
+ [1]
# select yes with spacebar
# save and it will reload with 1 new certificate
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# setup nginx proxy
sudo apt update
sudo apt install nginx
touch /etc/nginx/sites-available/maas-https-default
# contents of maas-https-default
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
sudo service nginx restart
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
# create link
sudo ln -s /etc/nginx/sites-available/maas-https-default
/etc/nginx/sites-enabled
# look at errors
cat /var/log/maas/regiond.log
cat regiond.log | grep "Python-http"
*i didn't see
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
resolved https maas-cli ** Attachment added: "Screenshot from 2021-01-25 09-31-14.png" https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5456688/+files/Screenshot%20from%202021-01-25%2009-31-14.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed:
[Impact]
* On Bionic, MAAS CLI fails to work with apis over https with self-signed
certificates due to broken disable_ssl_certificate_validation option
with python 3.5 and later.
[Steps to Reproduce]
1. prepare a maas server (it doesn't have to be HA to reproduce)
2. prepare a set of certificate, key and ca-bundle
3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl
restart nginx`
4. add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
5. login with a new profile over https url
6. if the certificate is not trusted by the root store, it fails to login
7. adding the '--insecure' flag should disable the certificate check
[Where problems could occur]
* Potential issues could happen if we disable certificate validation for
all TLS interactions, any connection https related.
* Should not break existing python3 versions.
* Should not affect previously working python2 versions.
[Other Info]
This change should fix the issue with python3, and you should be able
to connect with python2 as before.
python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
- sudo cp -v test.crt /usr/share/ca-certificates/extra/
+ sudo cp -v localhost.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
# select yes with spacebar
- # save
+ # save and it will reload with 1 new certificate
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# setup nginx proxy
sudo apt update
sudo apt install nginx
touch /etc/nginx/sites-available/maas-https-default
# contents of maas-https-default
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
sudo service nginx restart
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
# create link
sudo ln -s /etc/nginx/sites-available/maas-https-default
/etc/nginx/sites-enabled
# look at errors
cat /var/log/maas/regiond.log
cat regiond.log | grep "Python-http"
*i
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed:
[Impact]
* On Bionic, MAAS CLI fails to work with apis over https with self-signed
certificates due to broken disable_ssl_certificate_validation option
with python 3.5 and later.
[Steps to Reproduce]
1. prepare a maas server (it doesn't have to be HA to reproduce)
2. prepare a set of certificate, key and ca-bundle
3. place a new conf in /etc/nginx/sites-enabled and `sudo systemctl
restart nginx`
4. add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
5. login with a new profile over https url
6. if the certificate is not trusted by the root store, it fails to login
7. adding the '--insecure' flag should disable the certificate check
[Where problems could occur]
* Potential issues could happen if we disable certificate validation for
all TLS interactions, any connection https related.
* Should not break existing python3 versions.
* Should not affect previously working python2 versions.
[Other Info]
This change should fix the issue with python3, and you should be able
to connect with python2 as before.
python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v test.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
# select yes with spacebar
# save
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
+
+ # setup nginx proxy
+ sudo apt update
+ sudo apt install nginx
+ touch /etc/nginx/sites-available/maas-https-default
+ # contents of maas-https-default
+ server {
+ listen 443 ssl http2;
+
+ server_name _;
+ ssl_certificate /home/ubuntu/localhost.crt;
+ ssl_certificate_key /home/ubuntu/localhost.key;
+
+ location / {
+ proxy_pass http://localhost:5240;
+ include /etc/nginx/proxy_params;
+ }
+
+ location /MAAS/ws {
+ proxy_pass http://127.0.0.1:5240/MAAS/ws;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ }
+ }
+
+
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
- maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
+ maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
}
# create link
sudo ln -s /etc/nginx/sites-available/maas-https-default
/etc/nginx/sites-enabled
# look at errors
cat /var/log/maas/regiond.log
cat regiond.log | grep "Python-http"
*i didn't see any 404's though
2020-12-15 13:24:48 regiond: [info]
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Tags removed: sts-sponsor-ddstreet ** Tags added: sts-sponsor-slashd -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
MAAS secure https login script ** Attachment added: "https-maas-login.sh" https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5456437/+files/https-maas-login.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
MAAS insecure login script ** Attachment added: "maas-login.sh" https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5456436/+files/maas-login.sh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
maas cli https via maas-cli ** Attachment added: "Screenshot from 2021-01-24 16-36-07.png" https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5456435/+files/Screenshot%20from%202021-01-24%2016-36-07.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
maas gui https ** Attachment added: "Screenshot from 2021-01-24 16-48-21.png" https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5456434/+files/Screenshot%20from%202021-01-24%2016-48-21.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed: - [Environment] + [Impact] - Bionic - python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2 - MAAS - 2.8.2 - - [Description] - - maas cli fails to work with apis over https with self-signed certificates due to the lack - of disable_ssl_certificate_validation option with python 3.5. - - [Distribution/Release, Package versions, Platform] - cat /etc/lsb-release; dpkg -l | grep maas - DISTRIB_ID=Ubuntu - DISTRIB_RELEASE=18.04 - DISTRIB_CODENAME=bionic - DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" - ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM - ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface - ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files - ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server - ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy - ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS - ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS - ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS - ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) - ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) - ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) + * On Bionic, MAAS CLI fails to work with apis over https with self-signed +certificates due to broken disable_ssl_certificate_validation option +with python 3.5 and later. [Steps to Reproduce] - - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - - prepare a set of certificate, key and ca-bundle - - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - - add the ca certificates to the host - sudo mkdir /usr/share/ca-certificates/extra - sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ - dpkg-reconfigure ca-certificates - - login with a new profile over https url - - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] + 1. prepare a maas server (it doesn't have to be HA to reproduce) + 2. prepare a set of certificate, key and ca-bundle + 3. place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl + restart nginx` + 4. add the ca certificates to the host + sudo mkdir /usr/share/ca-certificates/extra + sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ + dpkg-reconfigure ca-certificates + 5. login with a new profile over https url + 6. if the certificate is not trusted by the root store, it fails to login + 7. adding the '--insecure' flag should disable the certificate check - [Known Workarounds] - None + [Where problems could occur] - [Test] - # Note even though this change only affects Python3 - # I tested it with Python2 with no issues and was able to connect. - Also please make note of the 2 packages. One is for Python2 the other Python3 + * Potential issues could happen if we disable certificate validation for +all TLS interactions, any connection https related. - Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb - Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb + * Should not break existing python3 versions. + + * Should not affect previously working python2 versions. + + [Other Info] + + This change should fix the issue with python3, and you should be able + to connect with python2 as before. + + python2 => python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb + python3 => python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1906720 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** No longer affects: maas (Ubuntu) ** No longer affects: maas (Ubuntu Bionic) ** No longer affects: maas (Ubuntu Focal) ** No longer affects: maas (Ubuntu Groovy) ** No longer affects: maas (Ubuntu Hirsute) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed:
[Environment]
Bionic
python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2
+ MAAS - 2.8.2
[Description]
maas cli fails to work with apis over https with self-signed certificates due
to the lack
of disable_ssl_certificate_validation option with python 3.5.
[Distribution/Release, Package versions, Platform]
cat /etc/lsb-release; dpkg -l | grep maas
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a
physical cloud and IPAM
ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and
command-line interface
ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common
files
ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server
ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy
ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack
Controller for MAAS
ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
controller API service for MAAS
ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
Controller for MAAS
ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
server Django web framework (Python 3)
ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
python API client (Python 3)
ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1
all MAAS server provisioning libraries (Python 3)
[Steps to Reproduce]
- prepare a maas server(installed by packages for me and the customer). it
doesn't have to be HA to reproduce
- prepare a set of certificate, key and ca-bundle
- place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart
nginx`
- add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
- login with a new profile over https url
- when not added the ca-bundle to the trusted ca cert store, it fails to
login and '--insecure' flag also doesn't work[3]
[Known Workarounds]
None
[Test]
# Note even though this change only affects Python3
# I tested it with Python2 with no issues and was able to connect.
Also please make note of the 2 packages. One is for Python2 the other Python3
Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v test.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
# select yes with spacebar
# save
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
+ # TODO: add setup for ngnix config
+
+
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Linking directly related bug https://bugs.launchpad.net/maas/+bug/1891201 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/maas/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
original problem: maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [0] attachment MAAS version (2.8.2) Python version (3.5 or less) Based on Robie's comment. there are 2 options 1. we continue to sru this patch 2. we ask for a monkey patch to MAAS One recent previously monkey patched by MAAS https://bugs.launchpad.net/maas/+bug/1741913 ** Attachment added: "Screenshot from 2020-12-15 12-48-12.png" https://bugs.launchpad.net/ubuntu/+source/maas/+bug/1906720/+attachment/5455213/+files/Screenshot%20from%202020-12-15%2012-48-12.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/maas/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed:
[Environment]
Bionic
python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2
[Description]
maas cli fails to work with apis over https with self-signed certificates due
to the lack
of disable_ssl_certificate_validation option with python 3.5.
[Distribution/Release, Package versions, Platform]
cat /etc/lsb-release; dpkg -l | grep maas
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a
physical cloud and IPAM
ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and
command-line interface
ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common
files
ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server
ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy
ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack
Controller for MAAS
ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
controller API service for MAAS
ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
Controller for MAAS
ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
server Django web framework (Python 3)
ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
python API client (Python 3)
ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1
all MAAS server provisioning libraries (Python 3)
[Steps to Reproduce]
- prepare a maas server(installed by packages for me and the customer). it
doesn't have to be HA to reproduce
- prepare a set of certificate, key and ca-bundle
- place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart
nginx`
- add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
- login with a new profile over https url
- when not added the ca-bundle to the trusted ca cert store, it fails to
login and '--insecure' flag also doesn't work[3]
[Known Workarounds]
None
[Test]
# Note even though this change only affects Python3
# I tested it with Python2 with no issues and was able to connect.
Also please make note of the 2 packages. One is for Python2 the other Python3
Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v test.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
# select yes with spacebar
# save
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Also affects: maas (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/maas/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed:
[Environment]
Bionic
python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2
[Description]
maas cli fails to work with apis over https with self-signed certificates due
to the lack
of disable_ssl_certificate_validation option with python 3.5.
[Distribution/Release, Package versions, Platform]
cat /etc/lsb-release; dpkg -l | grep maas
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a
physical cloud and IPAM
ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and
command-line interface
ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common
files
ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server
ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy
ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack
Controller for MAAS
ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
controller API service for MAAS
ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
Controller for MAAS
ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
server Django web framework (Python 3)
ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
python API client (Python 3)
ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1
all MAAS server provisioning libraries (Python 3)
[Steps to Reproduce]
- prepare a maas server(installed by packages for me and the customer). it
doesn't have to be HA to reproduce
- prepare a set of certificate, key and ca-bundle
- place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart
nginx`
- add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
- login with a new profile over https url
- when not added the ca-bundle to the trusted ca cert store, it fails to
login and '--insecure' flag also doesn't work[3]
[Known Workarounds]
None
[Test]
# Note even though this change only affects Python3
# I tested it with Python2 with no issues and was able to connect.
Also please make note of the 2 packages. One is for Python2 the other Python3
Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v test.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
# select yes with spacebar
# save
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
[sts-sponsor] I re-uploaded, because it was already, but I agree that before changing back Bionic's status to 'in progress' we need [where problem could occurs] section. - Eric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
[sts-sponsor] The patch name in d/change was inconsistent with what found in d/p and d/p/series I fixed d/changelog accordingly, and re-upload. For SRU team, please consider the most recent upload and reject the oldest one. - Eric -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
heathers new v2 debdiff, corrected the d/p/lp# in the changelog ** Patch added: "python-httplib2-bionic-lp1906720.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+attachment/5454956/+files/python-httplib2-bionic-lp1906720.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed:
[Environment]
Bionic
python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2
[Description]
maas cli fails to work with apis over https with self-signed certificates due
to the lack
of disable_ssl_certificate_validation option with python 3.5.
[Distribution/Release, Package versions, Platform]
cat /etc/lsb-release; dpkg -l | grep maas
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a
physical cloud and IPAM
ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and
command-line interface
ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common
files
ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server
ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy
ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack
Controller for MAAS
ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
controller API service for MAAS
ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
Controller for MAAS
ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
server Django web framework (Python 3)
ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
python API client (Python 3)
ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1
all MAAS server provisioning libraries (Python 3)
[Steps to Reproduce]
- prepare a maas server(installed by packages for me and the customer). it
doesn't have to be HA to reproduce
- prepare a set of certificate, key and ca-bundle
- place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart
nginx`
- add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
- login with a new profile over https url
- when not added the ca-bundle to the trusted ca cert store, it fails to
login and '--insecure' flag also doesn't work[3]
[Known Workarounds]
None
[Test]
# Note even though this change only affects Python3
# I tested it with Python2 with no issues and was able to connect.
- Also please make note of the 2 packages. One is for Python2 the other Python3
+ Also please make note of the 2 packages. One is for Python2 the other Python3
Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
- lxc launch ubuntu:bionic lp1820083
+ lxc launch ubuntu:bionic lp1906720
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v test.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
# select yes with spacebar
# save
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Please add a regression analysis as required by https://wiki.ubuntu.com/StableReleaseUpdates#Procedure. In particular, please take some steps here to make sure that we don't accidentally disable certificate validation across the board - since that would have severe consequences, we're messing with "should we check the certificate" code, and the problem wouldn't be detected just by checking this bug is fixed. That's the most obvious possible issue to me, but please consider and add anything else relevant. ** Changed in: python-httplib2 (Ubuntu Bionic) Status: In Progress => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Did you also remove the 0002 from the d/p/ at the top of the changelog? + * d/p/0002-lp1906720-Make-disable_ssl_certificate_validation-work- wit.patch On Tue, Jan 19, 2021 at 3:31 PM Dan Streetman <1906...@bugs.launchpad.net> wrote: > uploaded to bionic, thanks @hypothetical-lemon > > -- > You received this bug notification because you are a bug assignee. > https://bugs.launchpad.net/bugs/1906720 > > Title: > Fix the disable_ssl_certificate_validation option > > Status in python-httplib2 package in Ubuntu: > Fix Released > Status in python-httplib2 source package in Bionic: > In Progress > Status in python-httplib2 source package in Focal: > Fix Released > Status in python-httplib2 source package in Groovy: > Fix Released > Status in python-httplib2 source package in Hirsute: > Fix Released > > Bug description: > [Environment] > > Bionic > python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2 > > [Description] > > maas cli fails to work with apis over https with self-signed > certificates due to the lack > of disable_ssl_certificate_validation option with python 3.5. > > [Distribution/Release, Package versions, Platform] > cat /etc/lsb-release; dpkg -l | grep maas > DISTRIB_ID=Ubuntu > DISTRIB_RELEASE=18.04 > DISTRIB_CODENAME=bionic > DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" > ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" > is a physical cloud and IPAM > ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and > command-line interface > ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server > common files > ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server > ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching > Proxy > ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack > Controller for MAAS > ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region > controller API service for MAAS > ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all > Region Controller for MAAS > ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS > server Django web framework (Python 3) > ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS > python API client (Python 3) > ii python3-maas-provisioningserver > 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning > libraries (Python 3) > > [Steps to Reproduce] > > - prepare a maas server(installed by packages for me and the customer). > it doesn't have to be HA to reproduce > - prepare a set of certificate, key and ca-bundle > - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl > restart nginx` > - add the ca certificates to the host > sudo mkdir /usr/share/ca-certificates/extra > sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ > dpkg-reconfigure ca-certificates > - login with a new profile over https url > - when not added the ca-bundle to the trusted ca cert store, it fails to > login and '--insecure' flag also doesn't work[3] > > [Known Workarounds] > None > > [Test] > # Note even though this change only affects Python3 > # I tested it with Python2 with no issues and was able to connect. > Also please make note of the 2 packages. One is for Python2 the other > Python3 > > Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb > Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb > > helpful urls: > https://maas.io/docs/deb/2.8/cli/installation > https://maas.io/docs/deb/2.8/cli/configuration-journey > https://maas.io/docs/deb/2.8/ui/configuration-journey > > # create bionic VM/lxc container > lxc launch ubuntu:bionic lp1820083 > > # get source code from repo > pull-lp-source python-httplib2 bionic > > # install maas-cli > apt-get install maas-cli > > # install maas server > apt-get install maas > > # init maas > sudo maas init > > # answer questions > > # generate self signed cert and key > openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out > localhost.crt -keyout localhost.key > > # add certs > sudo cp -v test.crt /usr/share/ca-certificates/extra/ > > # add new cert to list > sudo dpkg-reconfigure ca-certificates > > # select yes with spacebar > # save > > # create api key files > touch api_key > touch api-key-file > > # remove any packages with this > # or this python3-httplib2 > apt-cache search python-httplib2 > apt-get remove python-httplib2 > apt-get remove python3-httplib2 > > # create 2 admin users > sudo maas createadmin testadmin > sudo maas createadmin secureadmin > > # generate maas api keys > sudo maas apikey --username=testadmin > api_key > sudo maas apikey --username=secureadmin > api-key-file > > # make sure you can login to maas-cli without TLS > # by running this script > # this is for the non-tls user > # this goes into a script called
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Did you also remove the 0002 from the changelog? + * d/p/0002-lp1906720-Make-disable_ssl_certificate_validation-work- wit.patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
attached updated debdiff with just minor adjustments: - added tag "LP: #1906720" to changelog entry - ran 'quilt refresh' on patch to fix offsets - added DEP3 fields to patch (https://dep-team.pages.debian.net/deps/dep3/) (in general, at least Origin: and Bug-Ubuntu: fields should be added) - renamed patch to remove leading '0002-' (just personal preference for patch naming) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
uploaded to bionic, thanks @hypothetical-lemon -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Patch added: "lp1906720-b.debdiff" https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+attachment/5454694/+files/lp1906720-b.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Tags added: sts sts-sponsor-ddstreet -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
reattached updated debdiff ** Patch added: "python-httplib2-bionic-lp1906720.debdiff" https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5444323/+files/python-httplib2-bionic-lp1906720.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
I've tested with Python 2.7.17 (latest for bionic), as well as Python 3.6.9 (latest) and did not have any issues compiling or running. Yes, I believe this is backwards compatible with < Python3.5. I will omit any further mention of Python2, since I believe your question was directed towards Python3 compatibility. In the debian/control there is this statement: Build-Depends: debhelper (>= 9), dh-python, python-all (>= 2.6.6-3~), python3-all (>= 3.1.2-10) "Build-Depends" which comes from here: https://www.debian.org/doc/debian-policy/ch-relationships.html#relationships-between-source-and-binary-packages-build-depends-build-depends-indep-build-depends-arch-build-conflicts-build-conflicts-indep-build-conflicts-arch - "The dependencies and conflicts they define must be satisfied (as defined earlier for binary packages) in order to invoke the targets in debian/rules". ** Patch removed: "python-httplib2-bionic-lp1906720.debdiff" https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5443988/+files/python-httplib2-bionic-lp1906720.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed:
[Environment]
Bionic
python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2
[Description]
maas cli fails to work with apis over https with self-signed certificates due
to the lack
of disable_ssl_certificate_validation option with python 3.5.
[Distribution/Release, Package versions, Platform]
cat /etc/lsb-release; dpkg -l | grep maas
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a
physical cloud and IPAM
ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and
command-line interface
ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common
files
ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server
ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy
ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack
Controller for MAAS
ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
controller API service for MAAS
ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
Controller for MAAS
ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
server Django web framework (Python 3)
ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
python API client (Python 3)
ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1
all MAAS server provisioning libraries (Python 3)
[Steps to Reproduce]
- prepare a maas server(installed by packages for me and the customer). it
doesn't have to be HA to reproduce
- prepare a set of certificate, key and ca-bundle
- place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart
nginx`
- add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
- login with a new profile over https url
- when not added the ca-bundle to the trusted ca cert store, it fails to
login and '--insecure' flag also doesn't work[3]
[Known Workarounds]
None
[Test]
-
+ # Note even though this change only affects Python3
+ # I tested it with Python2 with no issues and was able to connect.
helpful urls:
https://maas.io/docs/deb/2.8/cli/installation
https://maas.io/docs/deb/2.8/cli/configuration-journey
https://maas.io/docs/deb/2.8/ui/configuration-journey
# create bionic VM/lxc container
lxc launch ubuntu:bionic lp1820083
# get source code from repo
pull-lp-source python-httplib2 bionic
# install maas-cli
apt-get install maas-cli
# install maas server
apt-get install maas
# init maas
sudo maas init
# answer questions
# generate self signed cert and key
openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
# add certs
sudo cp -v test.crt /usr/share/ca-certificates/extra/
# add new cert to list
sudo dpkg-reconfigure ca-certificates
# select yes with spacebar
# save
# create api key files
touch api_key
touch api-key-file
# remove any packages with this
# or this python3-httplib2
apt-cache search python-httplib2
apt-get remove python-httplib2
apt-get remove python3-httplib2
# create 2 admin users
sudo maas createadmin testadmin
sudo maas createadmin secureadmin
# generate maas api keys
sudo maas apikey --username=testadmin > api_key
sudo maas apikey --username=secureadmin > api-key-file
# make sure you can login to maas-cli without TLS
# by running this script
# this is for the non-tls user
# this goes into a script called maas-login.sh
touch maas-login.sh
sudo chmod +rwx maas-login.sh
#!/bin/sh
PROFILE=testadmin
API_KEY_FILE=/home/ubuntu/api_key
API_SERVER=127.0.0.1:5240
MAAS_URL=http://$API_SERVER/MAAS
maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
sudo chmod +rwx https-maas.sh
# another script called https-maas.sh
# for the tls user
#!/bin/sh
PROFILE=secureadmin
API_KEY_FILE=/home/ubuntu/api-key-file
API_SERVER=127.0.0.1
MAAS_URL=https://$API_SERVER/MAAS
maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
# try to login
./maas-login.sh
cd /etc/nginx/sites-enabled
sudo touch maas-https-default
#example nginx config for maas https
server {
listen 443 ssl http2;
server_name _;
ssl_certificate /home/ubuntu/localhost.crt;
ssl_certificate_key /home/ubuntu/localhost.key;
location / {
proxy_pass http://localhost:5240;
include /etc/nginx/proxy_params;
}
location /MAAS/ws {
proxy_pass http://127.0.0.1:5240/MAAS/ws;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed: [Environment] Bionic python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l | grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] - helpful urls: + + helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1820083 # get source code from repo pull-lp-source python-httplib2 bionic - # install maas-cli + # install maas-cli apt-get install maas-cli - # install maas server - apt-get install maas + # install maas server + apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key - openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key + openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key - # add certs + # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates - # select yes with spacebar - # save + # select yes with spacebar + # save - # create api key files + # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 - apt-get remove python-httplib2 - apt-get remove python3-httplib2 + apt-get remove python-httplib2 + apt-get remove python3-httplib2 - # create 2 admin users - sudo maas createadmin testadmin - sudo maas createadmin secureadmin + # create 2 admin users + sudo maas createadmin testadmin + sudo maas createadmin secureadmin - # generate maas api keys + # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file - # make sure you can login to maas-cli without TLS - # by running this script - # this is for the non-tls user + # make sure you can login to maas-cli without TLS + # by running this script + # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE sudo chmod +rwx https-maas.sh - # another script called https-maas.sh + # another script called https-maas.sh # for the tls user #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE - # try to login + # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
# d/control:
Package: python-httplib2
Architecture: all
Depends: ${python:Depends},
...
Description: comprehensive HTTP client library written for Python
httplib2.py supports many features left out of other HTTP libraries.
This package provides module for python2 series.
Package: python3-httplib2
Architecture: all
Depends: ${python3:Depends},
...
This package provides module for python3 series.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1906720
Title:
Fix the disable_ssl_certificate_validation option
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
[sts-sponsors] Would this fix be backward compatible with < py3.5 ? or that would require py35 onward to work ? Bionic has both py2 and py3 and this package is built for both. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Changed in: python-httplib2 (Ubuntu Bionic) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
bionic python-httplib2 debdiff ** Patch added: "python-httplib2-bionic-lp1906720.debdiff" https://bugs.launchpad.net/ubuntu/bionic/+source/python-httplib2/+bug/1906720/+attachment/5443988/+files/python-httplib2-bionic-lp1906720.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Description changed:
[Environment]
- Bionic
- python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2
+ Bionic
+ python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2
[Description]
maas cli fails to work with apis over https with self-signed certificates due
to the lack
of disable_ssl_certificate_validation option with python 3.5.
-
[Distribution/Release, Package versions, Platform]
cat /etc/lsb-release; dpkg -l | grep maas
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"
ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a
physical cloud and IPAM
ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and
command-line interface
ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common
files
ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server
ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy
ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack
Controller for MAAS
ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
controller API service for MAAS
ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region
Controller for MAAS
ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
server Django web framework (Python 3)
ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS
python API client (Python 3)
ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1
all MAAS server provisioning libraries (Python 3)
[Steps to Reproduce]
- prepare a maas server(installed by packages for me and the customer). it
doesn't have to be HA to reproduce
- prepare a set of certificate, key and ca-bundle
- place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart
nginx`
- add the ca certificates to the host
sudo mkdir /usr/share/ca-certificates/extra
sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/
dpkg-reconfigure ca-certificates
- login with a new profile over https url
- when not added the ca-bundle to the trusted ca cert store, it fails to
login and '--insecure' flag also doesn't work[3]
[Known Workarounds]
None
+
+ [Test]
+ helpful urls:
+ https://maas.io/docs/deb/2.8/cli/installation
+ https://maas.io/docs/deb/2.8/cli/configuration-journey
+ https://maas.io/docs/deb/2.8/ui/configuration-journey
+
+ # create bionic VM/lxc container
+ lxc launch ubuntu:bionic lp1820083
+
+ # get source code from repo
+ pull-lp-source python-httplib2 bionic
+
+ # install maas-cli
+ apt-get install maas-cli
+
+ # install maas server
+ apt-get install maas
+
+ # init maas
+ sudo maas init
+
+ # answer questions
+
+ # generate self signed cert and key
+ openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt
-keyout localhost.key
+
+ # add certs
+ sudo cp -v test.crt /usr/share/ca-certificates/extra/
+
+ # add new cert to list
+ sudo dpkg-reconfigure ca-certificates
+
+ # select yes with spacebar
+ # save
+
+ # create api key files
+ touch api_key
+ touch api-key-file
+
+ # remove any packages with this
+ # or this python3-httplib2
+ apt-cache search python-httplib2
+ apt-get remove python-httplib2
+ apt-get remove python3-httplib2
+
+ # create 2 admin users
+ sudo maas createadmin testadmin
+ sudo maas createadmin secureadmin
+
+ # generate maas api keys
+ sudo maas apikey --username=testadmin > api_key
+ sudo maas apikey --username=secureadmin > api-key-file
+
+ # make sure you can login to maas-cli without TLS
+ # by running this script
+ # this is for the non-tls user
+ # this goes into a script called maas-login.sh
+ touch maas-login.sh
+ sudo chmod +rwx maas-login.sh
+
+ #!/bin/sh
+ PROFILE=testadmin
+ API_KEY_FILE=/home/ubuntu/api_key
+ API_SERVER=127.0.0.1:5240
+
+ MAAS_URL=http://$API_SERVER/MAAS
+
+ maas login $PROFILE $MAAS_URL - < $API_KEY_FILE
+
+ sudo chmod +rwx https-maas.sh
+ # another script called https-maas.sh
+ # for the tls user
+
+ #!/bin/sh
+ PROFILE=secureadmin
+ API_KEY_FILE=/home/ubuntu/api-key-file
+ API_SERVER=127.0.0.1
+
+ MAAS_URL=https://$API_SERVER/MAAS
+
+ maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE
+
+
+ # try to login
+ ./maas-login.sh
+
+ cd /etc/nginx/sites-enabled
+ sudo touch maas-https-default
+ #example nginx config for maas https
+ server {
+ listen 443 ssl http2;
+
+ server_name _;
+ ssl_certificate /home/ubuntu/localhost.crt;
+ ssl_certificate_key /home/ubuntu/localhost.key;
+
+ location / {
+ proxy_pass http://localhost:5240;
+ include /etc/nginx/proxy_params;
+ }
+
+ location /MAAS/ws {
+ proxy_pass http://127.0.0.1:5240/MAAS/ws;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ }
+ }
+
+ # create link
+ sudo ln -s
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Changed in: python-httplib2 (Ubuntu Bionic) Status: Confirmed => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
** Changed in: python-httplib2 (Ubuntu Bionic) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) ** Changed in: python-httplib2 (Ubuntu Groovy) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) ** Changed in: python-httplib2 (Ubuntu Hirsute) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) ** Changed in: python-httplib2 (Ubuntu Focal) Assignee: (unassigned) => Heather Lemon (hypothetical-lemon) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1906720] Re: Fix the disable_ssl_certificate_validation option
Backport fix https://github.com/httplib2/httplib2/pull/15 into bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
