Page MenuHomePhabricator
Create Task
Maniphest T278677

curl on deployment-prep Buster hosts does not trust Puppet CA
Closed, ResolvedPublic
Actions

Description

deployment-etcd02 uses Puppet certs to provide etcd over https. curl can use it on Jessie hosts but not on Buster, and wget works just fine on Stretch:

taavi@deployment-mediawiki10:~$ curl-config --ca

taavi@deployment-mediawiki10:~$ curl https://deployment-etcd02.deployment-prep.eqiad1.wikimedia.cloud:2379
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
taavi@deployment-mediawiki10:~$ wget https://deployment-etcd02.deployment-prep.eqiad1.wikimedia.cloud:2379
--2021-03-29 09:12:18--  https://deployment-etcd02.deployment-prep.eqiad1.wikimedia.cloud:2379/
Resolving deployment-etcd02.deployment-prep.eqiad1.wikimedia.cloud (deployment-etcd02.deployment-prep.eqiad1.wikimedia.cloud)... 172.16.1.253
Connecting to deployment-etcd02.deployment-prep.eqiad1.wikimedia.cloud (deployment-etcd02.deployment-prep.eqiad1.wikimedia.cloud)|172.16.1.253|:2379... connected.
HTTP request sent, awaiting response... 404 Not Found
2021-03-29 09:12:18 ERROR 404: Not Found.

taavi@deployment-mediawiki-07:~$ curl-config --ca
/etc/ssl/certs/ca-certificates.crt
taavi@deployment-mediawiki-07:~$ curl https://deployment-etcd02.deployment-prep.eqiad1.wikimedia.cloud:2379
404 page not found

deployment-mediawiki-07 is on Stretch, while 10 is on Buster. The issue is also present on other Buster hosts.

On both OSes /etc/ssl/certs/ca-certificates.crt and /etc/ssl/certs/ca-certificates.crt both contain the ca. strace shows that Buster does not read any CA files:

taavi@deployment-mediawiki10:~$ strace curl https://deployment-etcd02.deployment-prep.eqiad1.wikimedia.cloud:2379 |& grep open | grep ssl
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libssl.so.1.1", O_RDONLY|O_CLOEXEC) = 3
openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = 3
openat(AT_FDCWD, "/usr/lib/ssl/openssl.cnf", O_RDONLY) = 4

taavi@deployment-mediawiki-07:~$ strace curl https://deployment-etcd02.deployment-prep.eqiad1.wikimedia.cloud:2379 |& grep open | grep ssl
open("/usr/lib/x86_64-linux-gnu/libssl.so.1.0.2", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib/ssl/openssl.cnf", O_RDONLY) = 3
open("/etc/ssl/certs/ca-certificates.crt", O_RDONLY) = 4

Related Objects
Search...

Event Timeline

taavi created this task.Mar 29 2021, 9:18 AM
Restricted Application edited projects, added cloud-services-team (Kanban); removed cloud-services-team. · View Herald TranscriptMar 29 2021, 9:18 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
taavi updated the task description. (Show Details)Mar 29 2021, 9:23 AM
Urbanecm added a subscriber: Urbanecm.Mar 29 2021, 9:29 AM
ArielGlenn added a subscriber: ArielGlenn.Mar 29 2021, 9:50 AM

This could be another instance of T273089

taavi closed this task as Resolved.Mar 29 2021, 10:03 AM
taavi claimed this task.

yep, it was, thanks! the following one-liner solved it:

taavi@deployment-mediawiki11:~$ sudo ln -s /usr/local/share/ca-certificates/Puppet_Internal_CA.crt /etc/ssl/certs/$(openssl x509 -noout -hash -in /usr/local/share/ca-certificates/Puppet_Internal_CA.crt).0 && sudo update-ca-certificates
Restricted Application added a project: User-Majavah. · View Herald TranscriptMar 29 2021, 10:03 AM
ArielGlenn added a comment.Mar 29 2021, 11:23 AM

It would be nice to document this someplace so that the next time someone runs into the issue they have a hope of finding the answer on wikitech instead of opening another task. But I don't know where that someplace is...

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL