Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue removing ssl cert from application with spaces in common name #33

Open
Cryptophobia opened this issue Mar 20, 2018 · 6 comments
Open

Issue removing ssl cert from application with spaces in common name #33

Cryptophobia opened this issue Mar 20, 2018 · 6 comments
Labels
bug

Comments

@Cryptophobia
Copy link
Member

From @deis-admin on January 19, 2017 23:43

From @msull92 on September 15, 2015 18:14

I am having an issue removing an ssl certificate from an application where the certificate's common name has spaces in it. Is there a way to manually remove this using etcdctl?

Copied from original issue: deis/deis#4487

Copied from original issue: deis/controller#1225
@Cryptophobia
Copy link
Member Author

From @deis-admin on January 19, 2017 23:43

From @benwilber on September 16, 2015 0:35

@msull92 can you try replacing the spaces with %20

edit:

with etcdctl you should be able to remove /deis/certs/<common name>/cert and /deis/certs/<common name>/key

replace spaces in <common name> with %20.

This is definitely a bug that deis controller doesn't url escape keys (even though etcd itself does.) deis controller itself can't write url-escaped keys because then they'll be double-escaped by etcd.

@Cryptophobia
Copy link
Member Author

From @deis-admin on January 19, 2017 23:43

From @msull92 on September 16, 2015 14:57

I would love to do that, but it's not even showing up in etcdctl, see below:

screenshot 2015-09-16 09 56 06

Yet it still shows up with the client call.
screenshot 2015-09-16 09 55 21

@Cryptophobia
Copy link
Member Author

From @deis-admin on January 19, 2017 23:43

From @msull92 on September 16, 2015 14:57

@benwilber forgot to tag you

@Cryptophobia
Copy link
Member Author

From @deis-admin on January 19, 2017 23:43

From @carmstrong on September 16, 2015 15:9

@msull92 It looks like the certificate has been cleared from etcd (and thus shouldn't be served any longer by the router), but is still there in our database.

Do you see an error when you try to delete it? If you could also paste the logs from the controller component when you try to delete the certificate, that'd be helpful. Thanks!

@Cryptophobia
Copy link
Member Author

From @deis-admin on January 19, 2017 23:43

From @msull92 on September 16, 2015 15:44

@carmstrong

This causes the log below.
screenshot 2015-09-16 10 42 02

screenshot 2015-09-16 10 42 25

@Cryptophobia
Copy link
Member Author

From @deis-admin on January 19, 2017 23:43

From @msull92 on October 21, 2015 5:9

This has since caused an issue with restarting the controller because it tries to load in the certs from the database into etcd and fails because that cert causes an error. So others can find this later I will attach the stack trace.

Traceback (most recent call last): 
 File "./manage.py", line 13, in <module> 
   execute_from_command_line(sys.argv) 
 File "/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line 399, in execute_from_command_line 
   utility.execute() 
 File "/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line 392, in execute 
   self.fetch_command(subcommand).run_from_argv(self.argv) 
 File "/usr/lib/python2.7/site-packages/django/core/management/base.py", line 242, in run_from_argv  
   self.execute(*args, **options.__dict__) 
 File "/usr/lib/python2.7/site-packages/django/core/management/base.py", line 285, in execute 
   output = self.handle(*args, **options) 
 File "/app/api/management/commands/load_db_state_to_etcd.py", line 15, in handle 
   obj.save() 
 File "/app/api/models.py", line 1049, in save 
   return super(Certificate, self).save(*args, **kwargs) 
 File "/usr/lib/python2.7/site-packages/django/db/models/base.py", line 545, in save 
   force_update=force_update, update_fields=update_fields) 
 File "/usr/lib/python2.7/site-packages/django/db/models/base.py", line 582, in save_base 
   update_fields=update_fields, raw=raw, using=using) 
 File "/usr/lib/python2.7/site-packages/django/dispatch/dispatcher.py", line 185, in send 
   response = receiver(signal=self, sender=sender, **named) 
 File "/app/api/models.py", line 1166, in _etcd_publish_cert 
   _etcd_client.write('/deis/certs/{}/cert'.format(cert), cert.certificate) 
 File "/usr/lib/python2.7/site-packages/etcd/client.py", line 269, in write 
   response = self.api_execute(path, method, params=params) 
 File "/usr/lib/python2.7/site-packages/etcd/client.py", line 582, in api_execute 
   return self._handle_server_response(response) 
 File "/usr/lib/python2.7/site-packages/etcd/client.py", line 600, in _handle_server_response 
   raise etcd.EtcdException(resp) 
etcd.EtcdException

To fix this, log into the database and remove the offending cert from the api_certificate table.

Note: Not sure if it will matter, but just for completeness; I am running a stateless platform on AWS. v1.11.1

@Cryptophobia Cryptophobia mentioned this issue Mar 20, 2018
Open
duanhongyi added a commit to duanhongyi/controller that referenced this issue Nov 26, 2021
@duanhongyi
Merge pull request teamhephy#33 from jianxiaoguo/dev
b6118e4 
chore(controller): CELERY_BROKER use rabbitmq and modify celery-deplo…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Cryptophobia