OSError: [Errno 21 No such file or directory: '/var/lib/haproxy/selfsigned.key"

Bug #1991119 reported by Peter De Sousa
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
charm-haproxy
New
Undecided
Unassigned

Bug Description

Hello,

subtitle: Adding manual machines with DNS breaks selfsigned certificate generation

[Description]

When deploying haproxy on a manual machine with DNS, e.g juju add-machine ssh:<email address hidden>, the juju public address is configured as host.subdomain.domain.

This causes an error with haproxy, where if SELFSIGNED is enabled in the ssl_cert configuration, HA proxy will put the public-address into the IP config:

/var/lib/juju/unit-haproxy-0/charm/data/openssl.cnf:
... rest of openssl config....

[alt_names]

IP.1 =SENV::OPENSSL_PUBLIC -> host.subdomain.domain
IP.2 -SENV::OPENSSL_PRIVATE -> internal IP (e.g. 10.0.0.1)

The result is that the config-changed hook of haproxy fails:

139709383779456: error: 22098880:X509 V3 routines:X509V3_EXT_nconf:error bjectAltName, value-@alt_names Traceback (most recent call last):

File "./hooks/config-changed", line 1540, in <module>

main (hook_name) File "./hooks/config-changed", line 1495, in main

config_changed() File "./hooks/config-changed", line 1024, in config_changed

notify_reverseproxy() File "/hooks/config-changed", line 1089, in _notify_reverseproxy

ssl_cert base64.b64encode(get_selfsigned_cert()[0])

File/hooks/config-changed", line 1298, in get_selfsigned_cert

gen_selfsigned_cert (cert_file, key_file) File ./hooks/config-changed", line 1409, in gen selfsigned_cert

os.chown (key_file, uid, -1)

OSError: [Errno 21 No such file or directory: '/var/lib/haproxy/selfsigned.key"

[Reproducer]

1. Create a new model in juju
2. Add a manual machine with DNS, e.g. juju add-machine ssh:<email address hidden>
3. Deploy haproxy with a backend application, and the SELFSIGNED configuration enabled.

[Workaround]

Edit the /var/lib/juju/agents/unit-haproxy-0/charm/data/openssl.cnf file on all affected units, changing the alternate names for DNS.1, and update the IP entry to reflect this change e.g.:

[alt_names]

DNS.1 =SENV::OPENSSL_PUBLIC -> host.subdomain.domain
IP.1 -SENV::OPENSSL_PRIVATE -> internal IP (e.g. 10.0.0.1)

Thanks,
Peter

Peter De Sousa (pjds)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.