Public bug reported: [Description]
On train and stein , with the addition of this change https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df (and posterior backport to stable releases) isn't longer possible to create listeners that use barbican secret containers except for single secrets exported as pkcs12 directly. Before that change, any exception raised when trying to to decode the PKCS12 bundle would have resulted on falling back to the legacy barbican certificate manager code, which supports secret containers [2], while with the addition of this line, makes this exception to raise and not falling back to the legacy code anymore. When this exception is raised, the following error is displayed to the user: $ openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls- container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c- 86eb3cc7fe1a" -- lb1 The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b- 4d26-9920-72b03343596a) In fact, I've tested creating a listener by removing the patch [0] therefore falling back to the legacy mode and it works. [Reproducer] 0) Deploy this bundle or similar (http://paste.ubuntu.com/p/cgbwKNZHbW/) 1) Create self-signed certificate, key and ca (http://paste.ubuntu.com/p/xyyxHZGDFR/) 2) Create the 3 certs at barbican $ openstack secret store --name "test-pk-1" --secret-type "private" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_key.pem)" $ openstack secret store --name "test-ca-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_ca.pem)" $ openstack secret store --name "test-pub-1" --secret-type "certificate" --payload-content-type "text/plain" --payload="$(cat ./keys/controller_cert.pem)" 3) Create a loadbalancer $ openstack loadbalancer create --name lb1 --vip-subnet-id private_subnet 4) Create a secrets container $ openstack secret container create --type='certificate' --name "test- tls-1" --secret="certificate=https://10.5.0.4:9312/v1/secrets/3c9109d9-05e0-45fe-9661-087c50061c00" --secret="private_key=https://10.5.0.4:9312/v1/secrets/378e8f8c-81f5 -4b5a-bffd-c0c43a41b4a8" --secret="intermediates=https://10.5.0.4:9312/v1/secrets/07a7564d- b5c6-4433-a0a9-a195e2d54c57" 5) Create the listener openstack loadbalancer listener create --protocol-port 443 --protocol "TERMINATED_HTTPS" --name "test-listener" --default-tls- container="https://10.5.0.4:9312/v1/containers/68154f38-fccf-4990-b88c- 86eb3cc7fe1a" -- lb1 This creation will fail with the following exception: The PKCS12 bundle is unreadable. Please check the PKCS12 bundle validity. In addition, make sure it does not require a pass phrase. Error: [('asn1 encoding routines', 'asn1_d2i_read_bio', 'not enough data')] (HTTP 400) (Request-ID: req-8e48d0b5-3f5b- 4d26-9920-72b03343596a) [ Possible solutions ] * Undo this backport on stable releases * Fix the current master code to support secret containers and not only plain pkcs12 certs. [0] https://review.opendev.org/#/c/683954/1/octavia/certificates/manager/barbican.py [1] https://opendev.org/openstack/octavia/commit/a501714a76e04b33dfb24c4ead9956ed4696d1df [2] https://github.com/openstack/octavia/blob/master/octavia/certificates/manager/barbican_legacy.py#L141 ** Affects: octavia (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1866085 Title: Not possible to create listeners that use barbican secret containers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/octavia/+bug/1866085/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs