Error when try to add SSL certificate in IPLB
Ducatel opened this issue · 5 comments
Hi everybody,
I have an error when I try to add let's encrypt certificate in IPLB.
So let's encrypt (through dehydrated project ) give to me 4 files
- privkey.pem
- cert.pem
- fullchain.pem
- chain.pem
In the following code, it fail when I try to pass the fullchain or the chain.
But it's working when I doesn't pass the chain, and it's also working when I pass fullchain or chain in the ovh API console
ovh_client = ovh.Client()
with open('cert.pem', 'r') as content_file:
certif = content_file.read()
with open('privkey.pem', 'r') as content_file:
privatekey = content_file.read()
with open('chain.pem', 'r') as content_file:
chain = content_file.read()
with open('fullchain.pem', 'r') as content_file:
fullchain = content_file.read()
try:
result = ovh_client.post('/ipLoadbalancing/{}/ssl'.format(ip_lb_name),
certificate=certif,
key=privatekey,
chain=chain # or fullchain generate the same error
)
except (ovh.exceptions.BadParametersError, ovh.exceptions.ResourceConflictError) as err:
print('Impossible to add certificate. err: {}'.format(err)) # error like 'chain not valid'So I made a stupid things or there is a little bug here ?
Have fun ;)
Hi,
Thanks for opening this issue. Can you paste the full exception and chain ? I'll check.
Hi @yadutaf ,
The fullchain content
-----BEGIN CERTIFICATE-----
MIIF9zCCBN+gAwIBAgITAPoc48MZF1ig3e3sCCD2xIIgrDANBgkqhkiG9w0BAQsF
ADAiMSAwHgYDVQQDDBdGYWtlIExFIEludGVybWVkaWF0ZSBYMTAeFw0xNzAxMTAx
NTIzMDBaFw0xNzA0MTAxNTIzMDBaMCQxIjAgBgNVBAMTGXByZXByb2RkYjEudHJh
Y2Uuc29mdHdhcmUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDRtqEt
bp8SFQr59PGNJuwOYYXBX/1bF0BNLWhO6CfaNajOmLqO28DVgy4EONgDKDEJ0eB4
noqcIyVfEB4jfYYwnx5OYthRosTiCJs9BTj+5IF+r25u1LzOT9+j35dmwt4EX0Sx
0pIRz5WsE81YJUFQN+ldncrozrPSDqMx4MOxKLWGyIw5ri+6jEv0NxlNLTEy3by/
YhTaHXAwPQux5dBQ+BXI3Z6FoxwCpvbkfnmw+zfvOcgIdnrbwrmySPBDdTCezc+o
HXo7bTLecU16/dCTWtA9zsTsHCZqUOyZf0nwSDIHpDR9LSMT3SvNVcJExcolpjYx
+b6eVYZW3iWVO6BnD/Bv0dVP95xrW5tqR95qR3Zy0TVFovsmQXKiGnyiPduKUUEg
owJ0vylqpd/3gZULHHf8rknPqghO657IFOCru9OWuul41Sn05oQpAa31Eemu6B99
9zRk+vxc4pjvcLvSqyiVu2c6ol1uzI6aDnFrVryW6mRm8103KwqFJsyjPwHQBY9s
BAeaxxrTquhcqsy/YutH+oVmpYtPVE00Gy2vPQ0khidJ8tmB9QHoAg4mSKZYEXee
Z9WojjXNwdqzE4axwERE0DWe9/RdQjdplUwqeDyq8O6Y5a/YGR5/sFzLMWtkmtU5
PUQgjBT2l9pSZeWRfFW3/2fDAj1gqjN/4EdNcwIDAQABo4ICIjCCAh4wDgYDVR0P
AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
Af8EAjAAMB0GA1UdDgQWBBQyO346TsfRmfpz7r4v2CJQL4bblzAfBgNVHSMEGDAW
gBTAzANGuVggzFxycPPhLssgpvVoOjB4BggrBgEFBQcBAQRsMGowMwYIKwYBBQUH
MAGGJ2h0dHA6Ly9vY3NwLnN0Zy1pbnQteDEubGV0c2VuY3J5cHQub3JnLzAzBggr
BgEFBQcwAoYnaHR0cDovL2NlcnQuc3RnLWludC14MS5sZXRzZW5jcnlwdC5vcmcv
MCQGA1UdEQQdMBuCGXByZXByb2RkYjEudHJhY2Uuc29mdHdhcmUwgf4GA1UdIASB
9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpo
dHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlz
IENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcg
UGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmlj
YXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBv
c2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAD6k6PYv0bRI5Aa7Bb8ize9teSOkX
uf84HmAhk1z35QYx5iY87WrWJny1oboT8FMrkfq30946uXHHNQ92noF4K6kkVidA
Y2ViujnC7FDCTqEcwx+2YCh4HqN480tvZt2BZYg+MmVUXJqnVwEmn8IyWeaGoV4n
xX72UDRzyzUvcecScKu7rC0IDK0yQliFCoD0kVqQ2umlNyuFDQJFI0ULLTfZiUw+
wJX1VtVv7Mmgef+OpGh6hrDAPgccIglWMQMRc2Yuf6kGt/f1e/MoASrRDlD6BtI9
suTymhhfQP+Vb33lAtyDtH+FlULs9V26Kud6XRD/Yb6gn39EBrmN5beIVw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqzCCApOgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+UwDQYJKoZIhvcNAQELBQAw
GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDUyMzIyMDc1OVoXDTM2
MDUyMzIyMDc1OVowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0
8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym
oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0
ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN
xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56
dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9
AgMBAAGjgeMwgeAwDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw
HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHoGCCsGAQUFBwEBBG4wbDA0
BggrBgEFBQcwAYYoaHR0cDovL29jc3Auc3RnLXJvb3QteDEubGV0c2VuY3J5cHQu
b3JnLzA0BggrBgEFBQcwAoYoaHR0cDovL2NlcnQuc3RnLXJvb3QteDEubGV0c2Vu
Y3J5cHQub3JnLzAfBgNVHSMEGDAWgBTBJnSkikSg5vogKNhcI5pFiBh54DANBgkq
hkiG9w0BAQsFAAOCAgEABYSu4Il+fI0MYU42OTmEj+1HqQ5DvyAeyCA6sGuZdwjF
UGeVOv3NnLyfofuUOjEbY5irFCDtnv+0ckukUZN9lz4Q2YjWGUpW4TTu3ieTsaC9
AFvCSgNHJyWSVtWvB5XDxsqawl1KzHzzwr132bF2rtGtazSqVqK9E07sGHMCf+zp
DQVDVVGtqZPHwX3KqUtefE621b8RI6VCl4oD30Olf8pjuzG4JKBFRFclzLRjo/h7
IkkfjZ8wDa7faOjVXx6n+eUQ29cIMCzr8/rNWHS9pYGGQKJiY2xmVC9h12H99Xyf
zWE9vb5zKP3MVG6neX1hSdo7PEAb9fqRhHkqVsqUvJlIRmvXvVKTwNCP3eCjRCCI
PTAvjV+4ni786iXwwFYNz8l3PmPLCyQXWGohnJ8iBm+5nk7O2ynaPVW0U2W+pt2w
SVuvdDM5zGv2f9ltNWUiYZHJ1mmO97jSY/6YfdOUH66iRtQtDkHBRdkNBsMbD+Em
2TgBldtHNSJBfB3pm9FblgOcJ0FSWcUDWJ7vO0+NTXlgrRofRT6pVywzxVo6dND0
WzYlTWeUVsO40xJqhgUQRER9YLOLxJ0O6C8i0xFxAMKOtSdodMB3RIwt7RFQ0uyt
n5Z5MqkYhlMI3J1tPRTp1nEt9fyGspBOO05gi148Qasp+3N+svqKomoQglNoAxU=
-----END CERTIFICATE-----
And the error message is simply:
err: Chain is not valid
If you want to test it through the original project. I just commit it ;) https://github.com/TraceSoftwareInternational/ovh-ssl-iplb
Got it! You need to call chain.strip() on it. I'll see if we can patch the API to accept whitespace padded certificates. But I can't promise anything ;)
Hi @yadutaf,
It's working ;) I report the fix in my source.
Just for my curiosity, why just chain field give to me the problem ?
The other fields already trim the inputs values ?
And that's fixed on API side as well. Thanks for the feedback! Chains needs a special handling as there may be multiple certificates in the chain but they need to be parsed individually. Bugs likes to hide in strange code-paths ;)