juju debug-log is broken
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| juju-core |
Fix Released
|
Critical
|
Wayne Witzel III | ||
Bug Description
A recent commit 7fc118f015d8480
return &tls.Config{
RootCAs: cert,
+ ServerName: "juju-rsyslog",
}, nil
Trouble is, it breaks rsyslog on worker nodes, and hence debug-log is broken, because rsyslog cannot connect back to the state server:
eg, on an EC2 deployment
2014-11-03 02:56:34 ERROR juju.worker runner.go:219 exited "rsyslog": x509: certificate is valid for ip-10-46-
Removing the ServerName fixed everything up again. But the change says that:
// composeTLS generates a new client certificate for connecting to the rsyslog server.
// We explicitly set the ServerName field, this ensures that even if we are connecting
// via an IP address and are using an old certificate (pre 1.20.9), we can still
// successfully connect.
So it seems by removing the ServerName, rsyslog to old state servers will break? Either way, it's broken and needs to be fixed.
| Wayne Witzel III (wwitzel3) wrote | #1 |
| Changed in juju-core: | |
| assignee: | nobody → Wayne Witzel III (wwitzel3) |
| Changed in juju-core: | |
| status: | Triaged → Fix Committed |
| Changed in juju-core: | |
| status: | Fix Committed → Fix Released |
Looking in to this now. I think it is just a matter of explicitly generating the server cert with an explicit wildcard cert.