tewardwgrant: yeah, it helps if the system gave an OOPS ID - it got a red "Sorry, there was a timeout try again" message, no OOPS ID00:50
tewardlooked like it resolved itself though00:50
EvgenyHello! Anyone here to ask about the Launchpad OpenID authentication?00:55
Evgenyhad something changed in the OpenID setup on login.launchpad.net?00:56
wgrantEvgeny: That's not technically part of Launchpad, but I may be able to help. What's the problem?01:02
wgrantNothing has changed recently.01:02
Evgenywgrant: Thank you, we have LP openid authentication incorporated into ask.openstack.org01:03
Evgenywgrant: which worked in the past, now we are getting "DiscoveryFailure" exception from the python openid library.01:04
Evgenyopenid https://login.ubuntu.com/ works01:04
wgrantEvgeny: Ah, the certificate was changed a week ago.01:04
Evgenywgrant: thanks, what does this mean to the admin of the site providing login via LP?01:05
wgrantEvgeny: Nothing at all if you are using any normal client.01:05
wgrantWhen did you first observe the breakage?01:06
Evgenywgrant: I'd think this week01:06
Evgenywgrant: rather within past week01:06
Evgenywgrant: which certificate changed?01:07
wgrantEvgeny: Have you contacted StackExchange about this?01:07
Evgenywgrant: ssl?01:07
wgrantSSL, yes.01:07
Evgenywgrant: no, I haven't. Ok, I'll see where this info leads.01:08
wgrantThe certificate configuration of login.ubuntu.com and login.launchpad.net is identical apart from the obvious hostname difference.01:08
wgrantThere is no difference in the chain.01:08
wgrantSo if one works but the other doesn't, the certificate change is probably unrelated.01:08
wgrantI've tried several other consumers with login.launchpad.net, and they work fine -- even other StackExchange sites.01:09
wgrantEvgeny: How exactly is that button configured?01:09
Evgenywgrant: using python-openid and https://login.launchpad.net/ as endpoint01:10
wgrantOh, that's not StackExchange, oops.01:10
wgrantEvgeny: I'd step through python-openid and see where it fails.01:10
wgrantBut changing login.launchpad.net to login.ubuntu.com works fine?01:11
wgrantIs it possible you have a firewall in place with out of date IP addresses?01:11
Evgenywgrant: Yes, login.ubuntu.com works and the id's are the same01:11
Evgenyno, it's on a public net01:12
EvgenyIs there a quick way to verify that the certificate has all the bundle set up?01:12
wgrantThe chains on both sites are identical and correct.01:12
EvgenyIt could be that the python-openid can't verify the certificate01:12
wgrantEvgeny: You'll need to convince python-openid to give you a better error.01:13
reedwgrant, just adding more food for thought: "Server denied check_authentication" https://bugs.launchpad.net/openstack-community/+bug/1406202/comments/101:14
ubot5Launchpad bug 1406202 in OpenStack Community Project "Can't login to ASK OpenStack: OpenID https://login.launchpad.net/ is invalid" [Critical,Confirmed]01:14
Evgenywgrant, yes I'll look into this, thanks.01:14
reedunfortunately I have to go now ... :)01:14
reedi'll check the logs later01:15
wgrantFWIW we have dozens of internal apps using python-openid to authenticate against https://login.launchpad.net/, so it's not a general problem.01:15
wgrantBut it's possibly an issue with the statless vs. stateful mode.01:16
wgrantWe ran into a bug with python-openid years ago, IIRC, where stateless requests on login.launchpad.net were failing because the GET string got too long and it fell back to POST, which failed, or something.01:17
wgrantIt was a long time ago and I forget the details and the fix.01:17
wgrant(it only broke on login.launchpad.net because "launchpad" is slightly longer than "ubuntu")01:17
ubot5Launchpad bug 676372 in Launchpad itself ""Server denied check_authentication" from bazaar.launchpad.net private branch since 11926 deployed" [Critical,Fix released]01:18
wgranthttps://bugs.launchpad.net/launchpad/+bug/676372/comments/5 was what I was thinking of01:18
wgrantHuh, different error now01:28
wgrant"OpenID https://login.launchpad.net/ is invalid: Error fetching XRDS document:"01:28
wgrantIs someone hacking the code live?01:28
wgrantI hope so, or you have an XSS hole :P01:30
wgrant"No route to host", anyway01:31
wgrantThat really sounds a bit like a network/DNS issue at ask.openstack.org's end.01:31
Evgenyyes, I've just made it print wholly01:35
Evgenywgrant: ping login.launchpad.net give "destination unreachable" from that host01:35
wgrantEvgeny: What does it resolve to?01:35
wgrantIt moved to a new network a couple of weeks ago.01:35
wgrantCheck your /etc/hosts :)01:36
wgrantShould be on somewhere01:36
Evgenybingo! Thanks!01:37
wgrantHeh, any idea how it ended up manually set?01:37
wgrantOoh it even works now.01:37
EvgenyI've done it myself before, I think there were issues on massive dns queries if I remember correctly01:38
Evgenymaybe I've overdone the /etc/hosts file01:38
wgrantPerhaps have a local caching resolver, but hardcoding things in /etc/hosts is only going to bring you pain as things move around.01:38
Evgenywgrant: Thank you, mystery solved. Bye.01:41
Evgenythanks for the advice01:42
=== JoseeAntonioR is now known as jose

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!