search

teamhephy / controller

Hephy Workflow Controller (API)
https://teamhephy.com
MIT License
14 stars 26 forks source link

Issue removing ssl cert from application with spaces in common name #33

Open Cryptophobia opened 6 years ago

Cryptophobia commented 6 years ago

From @deis-admin on January 19, 2017 23:43

From @msull92 on September 15, 2015 18:14

I am having an issue removing an ssl certificate from an application where the certificate's common name has spaces in it. Is there a way to manually remove this using etcdctl?

Copied from original issue: deis/deis#4487

Copied from original issue: deis/controller#1225

Cryptophobia commented 6 years ago

From @deis-admin on January 19, 2017 23:43

From @benwilber on September 16, 2015 0:35

@msull92 can you try replacing the spaces with %20

edit:

with etcdctl you should be able to remove /deis/certs/<common name>/cert and /deis/certs/<common name>/key

replace spaces in <common name> with %20.

This is definitely a bug that deis controller doesn't url escape keys (even though etcd itself does.) deis controller itself can't write url-escaped keys because then they'll be double-escaped by etcd.

Cryptophobia commented 6 years ago

From @deis-admin on January 19, 2017 23:43

From @msull92 on September 16, 2015 14:57

I would love to do that, but it's not even showing up in etcdctl, see below:

screenshot 2015-09-16 09 56 06

Yet it still shows up with the client call. screenshot 2015-09-16 09 55 21

Cryptophobia commented 6 years ago

From @deis-admin on January 19, 2017 23:43

From @msull92 on September 16, 2015 14:57

@benwilber forgot to tag you

Cryptophobia commented 6 years ago

From @deis-admin on January 19, 2017 23:43

From @carmstrong on September 16, 2015 15:9

@msull92 It looks like the certificate has been cleared from etcd (and thus shouldn't be served any longer by the router), but is still there in our database.

Do you see an error when you try to delete it? If you could also paste the logs from the controller component when you try to delete the certificate, that'd be helpful. Thanks!

Cryptophobia commented 6 years ago

From @deis-admin on January 19, 2017 23:43

From @msull92 on September 16, 2015 15:44

@carmstrong

This causes the log below. screenshot 2015-09-16 10 42 02

screenshot 2015-09-16 10 42 25

Cryptophobia commented 6 years ago

From @deis-admin on January 19, 2017 23:43

From @msull92 on October 21, 2015 5:9

This has since caused an issue with restarting the controller because it tries to load in the certs from the database into etcd and fails because that cert causes an error. So others can find this later I will attach the stack trace.

Traceback (most recent call last): 
 File "./manage.py", line 13, in <module> 
   execute_from_command_line(sys.argv) 
 File "/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line 399, in execute_from_command_line 
   utility.execute() 
 File "/usr/lib/python2.7/site-packages/django/core/management/__init__.py", line 392, in execute 
   self.fetch_command(subcommand).run_from_argv(self.argv) 
 File "/usr/lib/python2.7/site-packages/django/core/management/base.py", line 242, in run_from_argv  
   self.execute(*args, **options.__dict__) 
 File "/usr/lib/python2.7/site-packages/django/core/management/base.py", line 285, in execute 
   output = self.handle(*args, **options) 
 File "/app/api/management/commands/load_db_state_to_etcd.py", line 15, in handle 
   obj.save() 
 File "/app/api/models.py", line 1049, in save 
   return super(Certificate, self).save(*args, **kwargs) 
 File "/usr/lib/python2.7/site-packages/django/db/models/base.py", line 545, in save 
   force_update=force_update, update_fields=update_fields) 
 File "/usr/lib/python2.7/site-packages/django/db/models/base.py", line 582, in save_base 
   update_fields=update_fields, raw=raw, using=using) 
 File "/usr/lib/python2.7/site-packages/django/dispatch/dispatcher.py", line 185, in send 
   response = receiver(signal=self, sender=sender, **named) 
 File "/app/api/models.py", line 1166, in _etcd_publish_cert 
   _etcd_client.write('/deis/certs/{}/cert'.format(cert), cert.certificate) 
 File "/usr/lib/python2.7/site-packages/etcd/client.py", line 269, in write 
   response = self.api_execute(path, method, params=params) 
 File "/usr/lib/python2.7/site-packages/etcd/client.py", line 582, in api_execute 
   return self._handle_server_response(response) 
 File "/usr/lib/python2.7/site-packages/etcd/client.py", line 600, in _handle_server_response 
   raise etcd.EtcdException(resp) 
etcd.EtcdException

To fix this, log into the database and remove the offending cert from the api_certificate table.

Note: Not sure if it will matter, but just for completeness; I am running a stateless platform on AWS. v1.11.1