Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error when try to add SSL certificate in IPLB #40

Closed
Ducatel opened this issue Jan 10, 2017 · 5 comments
Closed

Error when try to add SSL certificate in IPLB #40

Ducatel opened this issue Jan 10, 2017 · 5 comments

Comments

@Ducatel
Copy link

Ducatel commented Jan 10, 2017

Hi everybody,

I have an error when I try to add let's encrypt certificate in IPLB.
So let's encrypt (through dehydrated project ) give to me 4 files

  • privkey.pem
  • cert.pem
  • fullchain.pem
  • chain.pem

In the following code, it fail when I try to pass the fullchain or the chain.
But it's working when I doesn't pass the chain, and it's also working when I pass fullchain or chain in the ovh API console

ovh_client = ovh.Client()

with open('cert.pem', 'r') as content_file:
    certif = content_file.read()

with open('privkey.pem', 'r') as content_file:
    privatekey = content_file.read()

with open('chain.pem', 'r') as content_file:
    chain = content_file.read()

with open('fullchain.pem', 'r') as content_file:
    fullchain = content_file.read()
    
try:
    result = ovh_client.post('/ipLoadbalancing/{}/ssl'.format(ip_lb_name),
                                  certificate=certif,
                                  key=privatekey,
                                  chain=chain # or fullchain generate the same error
                                  )
except (ovh.exceptions.BadParametersError, ovh.exceptions.ResourceConflictError) as err:
    print('Impossible to add certificate. err: {}'.format(err)) # error like 'chain not valid'

So I made a stupid things or there is a little bug here ?

Have fun ;)
@yadutaf
Copy link
Contributor

yadutaf commented Jan 10, 2017

Hi,

Thanks for opening this issue. Can you paste the full exception and chain ? I'll check.

@Ducatel
Copy link
Author

Ducatel commented Jan 10, 2017
edited

Hi @yadutaf ,

The fullchain content

-----BEGIN CERTIFICATE-----
MIIF9zCCBN+gAwIBAgITAPoc48MZF1ig3e3sCCD2xIIgrDANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNzAxMTAx
NTIzMDBaFw0xNzA0MTAxNTIzMDBaMCQxIjAgBgNVBAMTGXByZXByb2RkYjEudHJh
Y2Uuc29mdHdhcmUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDRtqEt
bp8SFQr59PGNJuwOYYXBX/1bF0BNLWhO6CfaNajOmLqO28DVgy4EONgDKDEJ0eB4
noqcIyVfEB4jfYYwnx5OYthRosTiCJs9BTj+5IF+r25u1LzOT9+j35dmwt4EX0Sx
0pIRz5WsE81YJUFQN+ldncrozrPSDqMx4MOxKLWGyIw5ri+6jEv0NxlNLTEy3by/
YhTaHXAwPQux5dBQ+BXI3Z6FoxwCpvbkfnmw+zfvOcgIdnrbwrmySPBDdTCezc+o
HXo7bTLecU16/dCTWtA9zsTsHCZqUOyZf0nwSDIHpDR9LSMT3SvNVcJExcolpjYx
+b6eVYZW3iWVO6BnD/Bv0dVP95xrW5tqR95qR3Zy0TVFovsmQXKiGnyiPduKUUEg
owJ0vylqpd/3gZULHHf8rknPqghO657IFOCru9OWuul41Sn05oQpAa31Eemu6B99
9zRk+vxc4pjvcLvSqyiVu2c6ol1uzI6aDnFrVryW6mRm8103KwqFJsyjPwHQBY9s
BAeaxxrTquhcqsy/YutH+oVmpYtPVE00Gy2vPQ0khidJ8tmB9QHoAg4mSKZYEXee
Z9WojjXNwdqzE4axwERE0DWe9/RdQjdplUwqeDyq8O6Y5a/YGR5/sFzLMWtkmtU5
PUQgjBT2l9pSZeWRfFW3/2fDAj1gqjN/4EdNcwIDAQABo4ICIjCCAh4wDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBQyO346TsfRmfpz7r4v2CJQL4bblzAfBgNVHSMEGDAW
gBTAzANGuVggzFxycPPhLssgpvVoOjB4BggrBgEFBQcBAQRsMGowMwYIKwYBBQUH
MAGGJ2h0dHA6Ly9vY3NwLnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3JnLzAzBggr
BgEFBQcwAoYnaHR0cDovL2NlcnQuc3RnLWludC14MS5sZXRzZW5jcnlwdC5vcmcv
MCQGA1UdEQQdMBuCGXByZXByb2RkYjEudHJhY2Uuc29mdHdhcmUwgf4GA1UdIASB
9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpo
dHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlz
IENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcg
UGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmlj
YXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBv
c2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAD6k6PYv0bRI5Aa7Bb8ize9teSOkX
uf84HmAhk1z35QYx5iY87WrWJny1oboT8FMrkfq30946uXHHNQ92noF4K6kkVidA
Y2ViujnC7FDCTqEcwx+2YCh4HqN480tvZt2BZYg+MmVUXJqnVwEmn8IyWeaGoV4n
xX72UDRzyzUvcecScKu7rC0IDK0yQliFCoD0kVqQ2umlNyuFDQJFI0ULLTfZiUw+
wJX1VtVv7Mmgef+OpGh6hrDAPgccIglWMQMRc2Yuf6kGt/f1e/MoASrRDlD6BtI9
suTymhhfQP+Vb33lAtyDtH+FlULs9V26Kud6XRD/Yb6gn39EBrmN5beIVw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0
8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym
oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0
ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN
xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56
dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9
AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0
BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu
b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq
hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF
UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9
AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr132bF2rtGtazSqVqK9E07sGHMCf+zp
DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7
IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf
zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI
PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w
SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH66iRtQtDkHBRdkNBsMbD+Em
2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0
WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt
n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU=
-----END CERTIFICATE-----

And the error message is simply:

err: Chain is not valid

If you want to test it through the original project. I just commit it ;) https://github.com/TraceSoftwareInternational/ovh-ssl-iplb

@yadutaf
Copy link
Contributor

yadutaf commented Jan 10, 2017

Got it! You need to call chain.strip() on it. I'll see if we can patch the API to accept whitespace padded certificates. But I can't promise anything ;)

Ducatel added a commit to TraceSoftwareInternational/ovh-ssl-iplb that referenced this issue Jan 11, 2017
@Ducatel
Fix ssl insertion in IPLB
03bc5d0 
The was impossible to add
Related to ovh/python-ovh#40
@Ducatel
Copy link
Author

Ducatel commented Jan 11, 2017

Hi @yadutaf,
It's working ;) I report the fix in my source.
Just for my curiosity, why just chain field give to me the problem ?
The other fields already trim the inputs values ?

@Ducatel Ducatel closed this as completed Jan 11, 2017
@yadutaf
Copy link
Contributor

yadutaf commented Jan 11, 2017

And that's fixed on API side as well. Thanks for the feedback! Chains needs a special handling as there may be multiple certificates in the chain but they need to be parsed individually. Bugs likes to hide in strange code-paths ;)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yadutaf @Ducatel