server_public_cert_pem Signature does not match CA cert after upgrade to latest master

25 views
Skip to first unread message

Thomas Maerz

unread,
May 10, 2016, 11:27:33 PM5/10/16
to Simian Discuss
I just updated to the latest master on my GAE instance and after the upgrade, the admin config page doesn't like the server_public_cert_pem that worked before.

I tried reuploading them but it doesn't work no matter what I try. I verified that the signature does match:

openssl verify -verbose -CAfile ca_crt.pem  server_public_cert.pem
server_public_cert.pem: OK

The app logs contain this:

2016-05-11 02:34:31 CRITICAL server_public_cert_pem
2016-05-11 02:34:31 ERROR server_public_cert_pem
Traceback (most recent call last):
File "/var/apps/simian/app/simian/auth/util.py", line 133, in GetCaParameters
v = getattr(settings, settings_k)
File "/var/apps/simian/app/simian/settings.py", line 382, in __getattr__
return self._Get(str(k).lower())
File "/var/apps/simian/app/simian/settings.py", line 807, in _Get
raise AttributeError(k)
AttributeError: server_public_cert_pem
2016-05-11 02:34:31 CRITICAL (ca_id = None)
2016-05-11 02:34:31 INFO NotAuthenticated exception: Traceback (most recent call last):
File "/root/appscale/AppServer/lib/webapp2-2.5.2/webapp2.py", line 570, in dispatch
return method(*args, **kwargs)
File "/var/apps/simian/app/simian/mac/munki/handlers/auth.py", line 74, in post
auth1 = self.GetAuth1Instance(ca_id=ca_id)
File "/var/apps/simian/app/simian/mac/munki/handlers/auth.py", line 45, in GetAuth1Instance
raise base.NotAuthenticated('CaParametersError')
NotAuthenticated

Thomas Maerz

unread,
May 10, 2016, 11:51:56 PM5/10/16
to Simian Discuss
Update: I just redeployed the version I had before from a backup folder and it likes the same certs now. I looked through the commits and I see several changes to the certificate code in base.py and some tlslite changes: https://github.com/google/simian/commit/70409ec60b6ead258e24579f32ba0de84a3ec13c and https://github.com/google/simian/commit/5e404c1b5271abf0e7a833ebaa4acc795519550e

Is it possible that one these changes might be causing this?

Maxim Ermilov

unread,
May 11, 2016, 3:07:17 PM5/11/16
to simian-...@googlegroups.com
> Is it possible that one these changes might be causing this?

yes. I just pushed fix for it.
Can you try version from trunk?

Thanks,
Maxim

--
You received this message because you are subscribed to the Google Groups "Simian Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simian-discus...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Thomas Maerz

unread,
May 12, 2016, 3:10:03 PM5/12/16
to Simian Discuss
I just built the latest trunk and pushed it to GAE and it likes all 3 certs now.
Reply all
Reply to author
Forward
0 new messages