Did you also remove the 0002 from the d/p/ at the top of the changelog? + * d/p/0002-lp1906720-Make-disable_ssl_certificate_validation-work- wit.patch
On Tue, Jan 19, 2021 at 3:31 PM Dan Streetman <[email protected]> wrote: > uploaded to bionic, thanks @hypothetical-lemon > > -- > You received this bug notification because you are a bug assignee. > https://bugs.launchpad.net/bugs/1906720 > > Title: > Fix the disable_ssl_certificate_validation option > > Status in python-httplib2 package in Ubuntu: > Fix Released > Status in python-httplib2 source package in Bionic: > In Progress > Status in python-httplib2 source package in Focal: > Fix Released > Status in python-httplib2 source package in Groovy: > Fix Released > Status in python-httplib2 source package in Hirsute: > Fix Released > > Bug description: > [Environment] > > Bionic > python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2 > > [Description] > > maas cli fails to work with apis over https with self-signed > certificates due to the lack > of disable_ssl_certificate_validation option with python 3.5. > > [Distribution/Release, Package versions, Platform] > cat /etc/lsb-release; dpkg -l | grep maas > DISTRIB_ID=Ubuntu > DISTRIB_RELEASE=18.04 > DISTRIB_CODENAME=bionic > DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" > ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" > is a physical cloud and IPAM > ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and > command-line interface > ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server > common files > ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server > ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching > Proxy > ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack > Controller for MAAS > ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region > controller API service for MAAS > ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all > Region Controller for MAAS > ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS > server Django web framework (Python 3) > ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS > python API client (Python 3) > ii python3-maas-provisioningserver > 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning > libraries (Python 3) > > [Steps to Reproduce] > > - prepare a maas server(installed by packages for me and the customer). > it doesn't have to be HA to reproduce > - prepare a set of certificate, key and ca-bundle > - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl > restart nginx` > - add the ca certificates to the host > sudo mkdir /usr/share/ca-certificates/extra > sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ > dpkg-reconfigure ca-certificates > - login with a new profile over https url > - when not added the ca-bundle to the trusted ca cert store, it fails to > login and '--insecure' flag also doesn't work[3] > > [Known Workarounds] > None > > [Test] > # Note even though this change only affects Python3 > # I tested it with Python2 with no issues and was able to connect. > Also please make note of the 2 packages. One is for Python2 the other > Python3 > > Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb > Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb > > helpful urls: > https://maas.io/docs/deb/2.8/cli/installation > https://maas.io/docs/deb/2.8/cli/configuration-journey > https://maas.io/docs/deb/2.8/ui/configuration-journey > > # create bionic VM/lxc container > lxc launch ubuntu:bionic lp1820083 > > # get source code from repo > pull-lp-source python-httplib2 bionic > > # install maas-cli > apt-get install maas-cli > > # install maas server > apt-get install maas > > # init maas > sudo maas init > > # answer questions > > # generate self signed cert and key > openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out > localhost.crt -keyout localhost.key > > # add certs > sudo cp -v test.crt /usr/share/ca-certificates/extra/ > > # add new cert to list > sudo dpkg-reconfigure ca-certificates > > # select yes with spacebar > # save > > # create api key files > touch api_key > touch api-key-file > > # remove any packages with this > # or this python3-httplib2 > apt-cache search python-httplib2 > apt-get remove python-httplib2 > apt-get remove python3-httplib2 > > # create 2 admin users > sudo maas createadmin testadmin > sudo maas createadmin secureadmin > > # generate maas api keys > sudo maas apikey --username=testadmin > api_key > sudo maas apikey --username=secureadmin > api-key-file > > # make sure you can login to maas-cli without TLS > # by running this script > # this is for the non-tls user > # this goes into a script called maas-login.sh > touch maas-login.sh > sudo chmod +rwx maas-login.sh > ---- > #!/bin/sh > PROFILE=testadmin > API_KEY_FILE=/home/ubuntu/api_key > API_SERVER=127.0.0.1:5240 > > MAAS_URL=http://$API_SERVER/MAAS > > maas login $PROFILE $MAAS_URL - < $API_KEY_FILE > ---- > sudo chmod +rwx https-maas.sh > # another script called https-maas.sh > # for the tls user > ---- > #!/bin/sh > PROFILE=secureadmin > API_KEY_FILE=/home/ubuntu/api-key-file > API_SERVER=127.0.0.1 > > MAAS_URL=https://$API_SERVER/MAAS > > maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE > ---- > > # try to login > ./maas-login.sh > > cd /etc/nginx/sites-enabled > sudo touch maas-https-default > #example nginx config for maas https > server { > listen 443 ssl http2; > > server_name _; > ssl_certificate /home/ubuntu/localhost.crt; > ssl_certificate_key /home/ubuntu/localhost.key; > > location / { > proxy_pass http://localhost:5240; > include /etc/nginx/proxy_params; > } > > location /MAAS/ws { > proxy_pass http://127.0.0.1:5240/MAAS/ws; > proxy_http_version 1.1; > proxy_set_header Upgrade $http_upgrade; > proxy_set_header Connection "Upgrade"; > } > } > > # create link > sudo ln -s /etc/nginx/sites-available/maas-https-default > /etc/nginx/sites-enabled > > # look at errors > cat /var/log/maas/regiond.log > cat regiond.log | grep "Python-http" > *i didn't see any 404's though > > 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET > /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: > Python-httplib2/0.9.2 (gzip)) > 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET > /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: > Python-httplib2/0.9.2 (gzip)) > 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET > /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: > Python-httplib2/0.9.2 (gzip)) > > # install fixed package > sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions > -- Heather Lemon Associate Software Engineer (STS Engineering) P: +1-719-415-8858 MM: hlemon | hypothetical-lemon www.canonical.com | www.ubuntu.com -- You received this bug notification because you are a member of STS Sponsors, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1906720 Title: Fix the disable_ssl_certificate_validation option Status in python-httplib2 package in Ubuntu: Fix Released Status in python-httplib2 source package in Bionic: In Progress Status in python-httplib2 source package in Focal: Fix Released Status in python-httplib2 source package in Groovy: Fix Released Status in python-httplib2 source package in Hirsute: Fix Released Bug description: [Environment] Bionic python3-httplib2 | 0.9.2+dfsg-1ubuntu0.2 [Description] maas cli fails to work with apis over https with self-signed certificates due to the lack of disable_ssl_certificate_validation option with python 3.5. [Distribution/Release, Package versions, Platform] cat /etc/lsb-release; dpkg -l | grep maas DISTRIB_ID=Ubuntu DISTRIB_RELEASE=18.04 DISTRIB_CODENAME=bionic DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS" ii maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all "Metal as a Service" is a physical cloud and IPAM ii maas-cli 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS client and command-line interface ii maas-common 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server common files ii maas-dhcp 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS DHCP server ii maas-proxy 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS Caching Proxy ii maas-rack-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Rack Controller for MAAS ii maas-region-api 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region controller API service for MAAS ii maas-region-controller 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all Region Controller for MAAS ii python3-django-maas 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server Django web framework (Python 3) ii python3-maas-client 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS python API client (Python 3) ii python3-maas-provisioningserver 2.8.2-8577-g.a3e674063-0ubuntu1~18.04.1 all MAAS server provisioning libraries (Python 3) [Steps to Reproduce] - prepare a maas server(installed by packages for me and the customer). it doesn't have to be HA to reproduce - prepare a set of certificate, key and ca-bundle - place a new conf[2] in /etc/nginx/sites-enabled and `sudo systemctl restart nginx` - add the ca certificates to the host sudo mkdir /usr/share/ca-certificates/extra sudo cp -v ca-bundle.crt /usr/share/ca-certificates/extra/ dpkg-reconfigure ca-certificates - login with a new profile over https url - when not added the ca-bundle to the trusted ca cert store, it fails to login and '--insecure' flag also doesn't work[3] [Known Workarounds] None [Test] # Note even though this change only affects Python3 # I tested it with Python2 with no issues and was able to connect. Also please make note of the 2 packages. One is for Python2 the other Python3 Python2 ===> python-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb Python3 ===> python3-httplib2_0.9.2+dfsg-1ubuntu0.3_all.deb helpful urls: https://maas.io/docs/deb/2.8/cli/installation https://maas.io/docs/deb/2.8/cli/configuration-journey https://maas.io/docs/deb/2.8/ui/configuration-journey # create bionic VM/lxc container lxc launch ubuntu:bionic lp1820083 # get source code from repo pull-lp-source python-httplib2 bionic # install maas-cli apt-get install maas-cli # install maas server apt-get install maas # init maas sudo maas init # answer questions # generate self signed cert and key openssl req -newkey rsa:4096 -x509 -sha256 -days 60 -nodes -out localhost.crt -keyout localhost.key # add certs sudo cp -v test.crt /usr/share/ca-certificates/extra/ # add new cert to list sudo dpkg-reconfigure ca-certificates # select yes with spacebar # save # create api key files touch api_key touch api-key-file # remove any packages with this # or this python3-httplib2 apt-cache search python-httplib2 apt-get remove python-httplib2 apt-get remove python3-httplib2 # create 2 admin users sudo maas createadmin testadmin sudo maas createadmin secureadmin # generate maas api keys sudo maas apikey --username=testadmin > api_key sudo maas apikey --username=secureadmin > api-key-file # make sure you can login to maas-cli without TLS # by running this script # this is for the non-tls user # this goes into a script called maas-login.sh touch maas-login.sh sudo chmod +rwx maas-login.sh ---- #!/bin/sh PROFILE=testadmin API_KEY_FILE=/home/ubuntu/api_key API_SERVER=127.0.0.1:5240 MAAS_URL=http://$API_SERVER/MAAS maas login $PROFILE $MAAS_URL - < $API_KEY_FILE ---- sudo chmod +rwx https-maas.sh # another script called https-maas.sh # for the tls user ---- #!/bin/sh PROFILE=secureadmin API_KEY_FILE=/home/ubuntu/api-key-file API_SERVER=127.0.0.1 MAAS_URL=https://$API_SERVER/MAAS maas login --insecure $PROFILE $MAAS_URL - < $API_KEY_FILE ---- # try to login ./maas-login.sh cd /etc/nginx/sites-enabled sudo touch maas-https-default #example nginx config for maas https server { listen 443 ssl http2; server_name _; ssl_certificate /home/ubuntu/localhost.crt; ssl_certificate_key /home/ubuntu/localhost.key; location / { proxy_pass http://localhost:5240; include /etc/nginx/proxy_params; } location /MAAS/ws { proxy_pass http://127.0.0.1:5240/MAAS/ws; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } # create link sudo ln -s /etc/nginx/sites-available/maas-https-default /etc/nginx/sites-enabled # look at errors cat /var/log/maas/regiond.log cat regiond.log | grep "Python-http" *i didn't see any 404's though 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/users/?op=whoami HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 13:24:48 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.1 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) 2020-12-15 14:24:46 regiond: [info] 127.0.0.1 GET /MAAS/api/2.0/describe/ HTTP/1.0 --> 200 OK (referrer: -; agent: Python-httplib2/0.9.2 (gzip)) # install fixed package sudo apt install ./python3-httplib2_0.9.2+dfsg-1ubuntu0.2.1_all.deb To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-httplib2/+bug/1906720/+subscriptions -- Mailing list: https://launchpad.net/~sts-sponsors Post to : [email protected] Unsubscribe : https://launchpad.net/~sts-sponsors More help : https://help.launchpad.net/ListHelp
