juju-deployer failed on SSL3_READ_BYTES

I also hit this today:

2016-11-24 04:21:45 [DEBUG] deployer.import: Getting charms...
2016-11-24 04:21:45 [DEBUG] deployer.deploy: Resolving configuration
2016-11-24 04:21:45 [DEBUG] deployer.env: Connecting to environment...
Traceback (most recent call last):
  File "/usr/bin/juju-deployer", line 9, in <module>
    load_entry_point('juju-deployer==0.6.4', 'console_scripts', 'juju-deployer')()
  File "/usr/lib/python2.7/dist-packages/deployer/cli.py", line 135, in main
    run()
  File "/usr/lib/python2.7/dist-packages/deployer/cli.py", line 234, in run
    importer.Importer(env, deployment, options).run()
  File "/usr/lib/python2.7/dist-packages/deployer/action/importer.py", line 298, in run
    self.env.connect()
  File "/usr/lib/python2.7/dist-packages/deployer/env/go.py", line 65, in connect
    self.client = EnvironmentClient.connect(self.name)
  File "/usr/lib/python2.7/dist-packages/jujuclient.py", line 534, in connect
    return Connector().run(cls, env_name)
  File "/usr/lib/python2.7/dist-packages/jujuclient.py", line 142, in run
    cert_path, data.get('environ-uuid'))
  File "/usr/lib/python2.7/dist-packages/jujuclient.py", line 150, in connect_env
    env = cls(endpoint, name=name, ca_cert=cert_path, env_uuid=env_uuid)
  File "/usr/lib/python2.7/dist-packages/jujuclient.py", line 522, in __init__
    self.conn = Connector.connect_socket(endpoint, self._ca_cert)
  File "/usr/lib/python2.7/dist-packages/jujuclient.py", line 162, in connect_socket
    endpoint, origin=endpoint, sslopt=sslopt)
  File "/usr/lib/python2.7/dist-packages/websocket/_core.py", line 219, in create_connection
    websock.connect(url, **options)
  File "/usr/lib/python2.7/dist-packages/websocket/_core.py", line 463, in connect
    self.sock = ssl.wrap_socket(self.sock, **sslopt)
  File "/usr/lib/python2.7/ssl.py", line 487, in wrap_socket
    ciphers=ciphers)
  File "/usr/lib/python2.7/ssl.py", line 243, in __init__
    self.do_handshake()
  File "/usr/lib/python2.7/ssl.py", line 405, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [Errno 1] _ssl.c:510: error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version
2016-11-24 04:21:45 [ERROR] Juju Status: environment: lmicintegrationxenial
machines:
  "0":
    agent-state: started
    agent-version: 1.25.8
    dns-name: 10.5.0.40
    instance-id: d80bea08-1f24-4cce-925e-1cf68e1afd39
    instance-state: ACTIVE
    series: xenial
    hardware: arch=amd64 cpu-cores=2 mem=4096M root-disk=40960M availability-zone=nova
    state-server-member-status: has-vote
services: {}

$ dpkg -l |grep juju
ii juju 1.25.6-0ubuntu1.14.04.1 all next generation service orchestration system
ii juju-core 1.25.6-0ubuntu1.14.04.1 amd64 Juju is devops distilled - client
ii juju-deployer 0.6.4-0ubuntu1~trusty1 all Deploy complex stacks of services using Juju
ii juju-local 1.25.6-0ubuntu1.14.04.1 all dependency package for the Juju local provider
ii juju-mongodb 2.4.9-0ubuntu3 ...

"juju" project track Juju 2.x concerns.

This issue is specific to Juju 1.x. I've re-targeted to "juju-core" project which tracks Juju 1.x.

If the goal is to make deployer work with tls 1.2, then this bug is a duplicate of bug 1443704 reported years ago in trusty. Trusty's python is too old. Deployer works fine on Xenial and yackkety which have newer versions of python.

@anastasia

It's not entirely that cut and dry. Bundletester and Amulet (the charm test tools) use juju-deployer under the hood, even for Juju 2.x. Given that, I believe this issue effectively blocks Trusty users from testing charms with both Juju 1 and Juju 2.

Hello.

I'm using juju-deployer from mojo-maintaners ppa, which works fine, on trusty:

$ apt-cache policy juju-deployer
juju-deployer:
  Installed: 0.9.2~bzr203~60~ubuntu14.04.1
  Candidate: 0.9.2~bzr203~60~ubuntu14.04.1
  Version table:
 *** 0.9.2~bzr203~60~ubuntu14.04.1 0
        500 http://ppa.launchpad.net/mojo-maintainers/ppa/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status
     0.6.4~bzr168~49~ubuntu14.04.1 0
        500 http://ppa.launchpad.net/juju/stable/ubuntu/ trusty/main amd64 Packages
     0.3.6-0ubuntu2 0
        500 http://archive.ubuntu.com/ubuntu/ trusty/universe amd64 Packages

However, amulet tests (for openstack charms) fail as they seem to use pip-installed juju deployer, which won't play nice with newer juju.

For security concerns we've removed TLS 1.0 support from Juju in the 1.25 release cycle. The default python 2.7 in Trusty does not support TLS 1.2. You need to update Python in order to have this work correctly on Trusty.

We're working with the upstream team to get this addressed.

https://bugs.launchpad.net/ubuntu/+source/python2.7/+bug/1443704

Ouch. Wonderful timing. Is there recommended workaround or fix currently?

There is a fix for xenial and yakkety in 1644153 (the fix for trusty is more complicated as previously mentioned)

This looks like it's being caused by mojo, as found by wgrant:

http://bazaar.launchpad.net/~mojo-maintainers/mojo/trunk/view/357.2.2/mojo/phase.py#L532
http://bazaar.launchpad.net/~mojo-maintainers/mojo/trunk/view/357.2.2/mojo/phase.py#L654

The workaround mentioned in comment #5 works for me as well