Deploying this charm on Jammy and configuring for mellon SAML auth, I end up in an "error" state with the following log:
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 File "/var/lib/juju/agents/unit-apache2-0/charm/hooks/config-changed", line 799, in config_changed
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 subprocess.check_output([
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 File "/usr/lib/python3.10/subprocess.py", line 421, in check_output
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 File "/usr/lib/python3.10/subprocess.py", line 526, in run
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 raise CalledProcessError(retcode, process.args,
2024-01-15 05:57:04 WARNING unit.apache2/0.config-changed logger.go:60 subprocess.CalledProcessError: Command '['/usr/sbin/mellon_create_metadata', 'https://juju-controller-reports.admin.canonical.com', 'https://juju-controller-reports.admin.canonical.com/mellon']' returned non-zero exit status 1.
After some digging, this appears to be down to the openssl-req certificate generation. When running the "openssl req" line from "/usr/sbin/mellon_create_metadata", I keep getting errors regarding attempted writes to /dev/urandom:
Cannot write random bytes:
40C76683DD7F0000:error:1200007A:random number generator:RAND_write_file:Not a regular file:../crypto/rand/randfile.c:190:Filename=/dev/urandom
I did find a bug in the ssl-cert package (https://bugs.launchpad.net/ubuntu/+source/ssl-cert/+bug/1945774) with the same error message, but no applicable fix here that I could see.
I've worked around this for now by editing "/usr/sbin/mellon_create_metadata" to remove the configuration line forcing openssl to use "/dev/urandom" as the RANDFILE. I'm not sure if there's a more appropriate fix we should be trying to contribute upstream, but it may be worth us looking at patching this in the charm in the (hopefully) short term?