mellon unable to generate cert on Jammy

Bug #2049351 reported by James Simpson
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Apache2 Charm
New
Undecided
Unassigned

Bug Description

Deploying this charm on Jammy and configuring for mellon SAML auth, I end up in an "error" state with the following log:

2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 File "/var/lib/juju/agents/unit-apache2-0/charm/hooks/config-changed", line 799, in config_changed
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 subprocess.check_output([
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 File "/usr/lib/python3.10/subprocess.py", line 421, in check_output
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 File "/usr/lib/python3.10/subprocess.py", line 526, in run
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 raise CalledProcessError(retcode, process.args,
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 subprocess.CalledProcessError: Command '['/usr/sbin/mellon_create_metadata', 'https://juju-controller-reports.admin.canonical.com', 'https://juju-controller-reports.admin.canonical.com/mellon']' returned non-zero exit status 1.

After some digging, this appears to be down to the openssl-req certificate generation. When running the "openssl req" line from "/usr/sbin/mellon_create_metadata", I keep getting errors regarding attempted writes to /dev/urandom:

Cannot write random bytes:
40C76683DD7F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom

I did find a bug in the ssl-cert package (https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1945774) with the same error message, but no applicable fix here that I could see.

I've worked around this for now by editing "/usr/sbin/mellon_create_metadata" to remove the configuration line forcing openssl to use "/dev/urandom" as the RANDFILE. I'm not sure if there's a more appropriate fix we should be trying to contribute upstream, but it may be worth us looking at patching this in the charm in the (hopefully) short term?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.