Sorry, I should have added my notes here sooner. pull-lp-source python-etcd3gw focal replaced client.py and base.py ran `pytest` --- include screenshot pulled down source code to run unit tests the tests include the fix and it passes
correct order for patches ===== 0001_reproducible-build.patch 0001-When-gateway-sends-failure-response-include-text-in-.patch 0001-Include-resp.text-as-detail-in-all-etcd-exceptions.patch 0001-Fix-exception-signature.patch Testing output method: TLS params test *This applies to both LPs ---- There are two test workflows to follow. - testing the patch with self signed certs and etcd server running locally - running newly created unit tests for TLS params ----- # Create self signed certs openssl req -x509 -out localhost.crt -keyout localhost.key -newkey rsa:4096 -nodes -sha256 -out localhost.csr *make sure the key has an empty password #download binaries & launch etcd locally with TLS enabled wget https://github.com/etcd- io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -zxvf etcd-v3.3.14-linux-amd64.tar.gz cd etcd-v3.3.14-linux-amd64/ sudo cp etcd etcdctl /usr/bin/ # spin up ectd server etcd --name infra0 --data-dir infra0 --cert-file=localhost.crt --key-file=localhost.key --advertise-client-urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 *note I named my directory infra0 #test connection with health endpoint: curl --cacert localhost.crt --key localhost.key --cert localhost.crt https://127.0.0.1:2379/health #if successful, the etcd server is configured with https {"health": "true"} View test changes inside of ~/python- etcd3gw-0.2.1/etcd3gw/tests/test_client.py Run the newly added unit test, or run the whole test suite with: python3 unittest python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls We get an error in both the unit test and an error from the etcd server unit test error we are looking for: OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')] related etcd error: I | embed: rejected connection from "127.0.0.1:44244" (error "remote error: tls: bad certificate", ServerName "") If you are testing with the added unit test, then make sure there is no etcd server running already. Unit test console output: python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls def test_client_tls(self): client = Etcd3Client(host="localhost", protocol="https", ca_cert="~/localhost.crt",cert_key="~/localhost.key", cert_cert="~/user.crt", timeout=10) response = client.get("/health") print(response) /home/.local/lib/python3.8/site-packages/urllib3/connection.py:455: SubjectAltNameWarning: Certificate for 127.0.0.1 has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/urllib3/urllib3/issues/497 for details.) warnings.warn( 127.0.0.1 - - [25/Feb/2021 16:43:48] "GET /health HTTP/1.1" 200 - . ---------------------------------------------------------------------- Ran 1 test in 0.107s OK def test_client_tls(self): client = Etcd3Client(host="localhost", protocol="https", ca_cert="/root/localhost.crt", cert_key="/root/localhost.key", cert_cert="/root/localhost.crt", timeout=10) client.get("random_key") in a separate terminal sudo dpkg-reconfigure ca-certificates sudo update-ca-certificates etcdctl --endpoints https://localhost:2379 --cacert=/home/localhost.crt --cert=/home/localhost.crt --key=/home/localhost.key member list 8e9e05c52164694d, started, infra0, http://localhost:2380, https://127.0.0.1:2379, false # put etcdctl --endpoints https://localhost:2379 --cacert=/home/localhost.crt --cert=/home/heather/localhost.crt --key=/home/localhost.key put foo -- bar etcdctl put -- foo2 bar2 etcdctl get foo2 ---- more testing from lxc bionic in bionic lxc container lxc exec bionic bash pull-lp-source python-etcd3gw bionic wget https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz tar -xvf etcd-v3.3.13-linux-amd64.tar.gz openssl req -x509 -out server.crt -keyout server.key -newkey rsa:4096 -nodes -sha256 ./etcd-v3.3.13-linux-amd64/etcd --name infra0 --data-dir infra0 --cert- file=server.crt --key-file=server.key --advertise-client- urls=https://127.0.0.1:2379 --listen-client-urls=https://127.0.0.1:2379 # hit health endpoint curl --cacert server.crt --key server.key --cert server.crt https://127.0.0.1:2379/health execute commands: extra verification from github source code python3 setup.py build python3 setup.py install cd ~/githubsource-pythonetcd3gw/etcd3-gateway/etcd3gw/tests python3 -m unittest test_client.TestEtcd3Gateway.test_client_tls self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852) I'll clean this up and post more soon. Thanks, Heather Lemon ** Bug watch added: github.com/urllib3/urllib3/issues #497 https://github.com/urllib3/urllib3/issues/497 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1900617 Title: gateway error detail is not passed along in raised exception To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python-etcd3gw/+bug/1900617/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs