TEST CASE: 1. Use Bionic series lxc container 2. Enable proposed repo in /etc/apt/sources.list 3. deb http://archive.ubuntu.com/ubuntu bionic-proposed main universe 4. sudo apt-get update 5. apt-get install python-etcd3gw=0.2.1-1ubuntu0.18.04.1 6. openssl req -x509 -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.crt 7. ./etcd --name infra0 --data-dir infra0 --cert-file=/root/python-etcd3gw-0.2.1/localhost.crt --key-file=/root/python-etcd3gw-0.2.1/localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 8. apt-get install etcd-client 9. etcdctl --endpoints https://127.0.0.1:2379 --ca-file=localhost.crt --cert-file=localhost.crt --key-file=localhost.key member list 10. response - 8e9e05c52164694d: name=infra0 peerURLs=http://localhost:2380 clientURLs=https://127.0.0.1:2379 isLeader=true 11. extra testing - attempt to connect without certs gives Error: client: etcd cluster is unavailable or misconfigured; error #0: dial tcp 127.0.0.1:4001: connect: connection refused ; error #1: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02" 12. etcdctl --endpoints https://127.0.0.1:2379 --ca-file=localhost.crt --cert-file=localhost.crt --key-file=localhost.key set foo bar 13. etcdctl --endpoints https://127.0.0.1:2379 --ca-file=localhost.crt --cert-file=localhost.crt --key-file=localhost.key get foo response = bar
VERIFICATION DONE you can connect to the etcd server with certificate infomation provided 8e9e05c52164694d: name=infra0 peerURLs=http://localhost:2380 clientURLs=https://127.0.0.1:2379 isLeader=true Troubleshooting 1. if you have this error 140647060033984:error:2406F079:random number generator:RAND_load_file:Cannot open file:../crypto/rand/randfile.c:88:Filename=/root/.rnd # comment out the RANDFILE at the top of /etc/ssl/openssl.cnf RANDFILE = $ENV::HOME/.rnd 2. If you have this error client: etcd cluster is unavailable or misconfigured; error #0: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs # under /etc/ssl/openssl.cnf add your IP for your cert [ v3_ca ] subjectAltName = IP:127.0.0.1 # also note, you can update ca-certificates cp localhost.crt /usr/share/ca-certificates/ sudo update-ca-certificates sudo dpkg-reconfigure ca-certificates 3. Try rebooting openssl service after making changes or container 4. make sure etcd is running Error: client: etcd cluster is unavailable or misconfigured; error #0: dial tcp 127.0.0.1:2379: connect: connection refused error #0: dial tcp 127.0.0.1:2379: connect: connection refused -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1820083 Title: TLS params not set for session To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1820083/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
