From 86bb28d59bf5bf2c9cea4a4ce05ef0d04dce59b6 Mon Sep 17 00:00:00 2001 From: Tilman Baumann Date: Wed, 14 Sep 2022 18:13:21 +0100 Subject: [PATCH 1/2] Do not try to sign certificates for None if ip not resolved Fixes https://github.com/juju/charm-helpers/issues/732 --- charmhelpers/contrib/openstack/cert_utils.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charmhelpers/contrib/openstack/cert_utils.py b/charmhelpers/contrib/openstack/cert_utils.py index 5c961c589..af6248e3d 100644 --- a/charmhelpers/contrib/openstack/cert_utils.py +++ b/charmhelpers/contrib/openstack/cert_utils.py @@ -90,7 +90,7 @@ def add_hostname_cn(self): if vip: addresses.append(vip) self.hostname_entry = { - 'cn': get_hostname(ip), + 'cn': get_hostname(ip) or ip, 'addresses': addresses} def add_hostname_cn_ip(self, addresses): From 51ff29e6fb3ca3a6f72f247f5706582a971951a0 Mon Sep 17 00:00:00 2001 From: Tilman Baumann Date: Tue, 29 Nov 2022 14:28:40 +0100 Subject: [PATCH 2/2] Fallback to fqdn vs IP and don't fail on ipv6 addresses Filling in local hostname if a local IP can't be resolved seems like a better fallback. Revisiting 4231a52c8c3f0c0c50a5e05592006f6480c72ec6 Also ignoring errors when trying to look up a IPv6 address in a IPv4 subnet which will not work. Referring to https://github.com/juju/charm-helpers/issues/732 --- charmhelpers/contrib/openstack/cert_utils.py | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/charmhelpers/contrib/openstack/cert_utils.py b/charmhelpers/contrib/openstack/cert_utils.py index af6248e3d..ddec008ea 100644 --- a/charmhelpers/contrib/openstack/cert_utils.py +++ b/charmhelpers/contrib/openstack/cert_utils.py @@ -16,6 +16,7 @@ import os import json +import socket from base64 import b64decode from charmhelpers.contrib.network.ip import ( @@ -86,11 +87,14 @@ def add_hostname_cn(self): # If a vip is being used without os-hostname config or # network spaces then we need to ensure the local units # cert has the appropriate vip in the SAN list - vip = get_vip_in_network(resolve_network_cidr(ip)) + try: + vip = get_vip_in_network(resolve_network_cidr(ip)) + except: + vip = None if vip: addresses.append(vip) self.hostname_entry = { - 'cn': get_hostname(ip) or ip, + 'cn': get_hostname(ip) or socket.getfqdn(), 'addresses': addresses} def add_hostname_cn_ip(self, addresses): @@ -156,7 +160,10 @@ def get_certificate_request(json_encode=True, bindings=None): net_addr = None ip = network_get_primary_address(binding) addresses = [net_addr, ip] - vip = get_vip_in_network(resolve_network_cidr(ip)) + try: + vip = get_vip_in_network(resolve_network_cidr(ip)) + except: + vip = None if vip: addresses.append(vip) @@ -217,7 +224,10 @@ def get_certificate_sans(bindings=None): net_addr = None ip = get_relation_ip(binding, cidr_network=net_config) _sans = _sans + [net_addr, ip] - vip = get_vip_in_network(resolve_network_cidr(ip)) + try: + vip = get_vip_in_network(resolve_network_cidr(ip)) + except: + vip = None if vip: _sans.append(vip) # Clear any Nones and duplicates