teward | wgrant: yeah, it helps if the system gave an OOPS ID - it got a red "Sorry, there was a timeout try again" message, no OOPS ID | 00:50 |
---|---|---|
teward | looked like it resolved itself though | 00:50 |
Evgeny | Hello! Anyone here to ask about the Launchpad OpenID authentication? | 00:55 |
Evgeny | had something changed in the OpenID setup on login.launchpad.net? | 00:56 |
wgrant | Evgeny: That's not technically part of Launchpad, but I may be able to help. What's the problem? | 01:02 |
wgrant | Nothing has changed recently. | 01:02 |
Evgeny | wgrant: Thank you, we have LP openid authentication incorporated into ask.openstack.org | 01:03 |
Evgeny | wgrant: which worked in the past, now we are getting "DiscoveryFailure" exception from the python openid library. | 01:04 |
Evgeny | openid https://login.ubuntu.com/ works | 01:04 |
wgrant | Evgeny: Ah, the certificate was changed a week ago. | 01:04 |
Evgeny | wgrant: thanks, what does this mean to the admin of the site providing login via LP? | 01:05 |
wgrant | Evgeny: Nothing at all if you are using any normal client. | 01:05 |
wgrant | When did you first observe the breakage? | 01:06 |
Evgeny | wgrant: I'd think this week | 01:06 |
Evgeny | wgrant: rather within past week | 01:06 |
Evgeny | wgrant: which certificate changed? | 01:07 |
wgrant | Evgeny: Have you contacted StackExchange about this? | 01:07 |
Evgeny | wgrant: ssl? | 01:07 |
wgrant | SSL, yes. | 01:07 |
Evgeny | wgrant: no, I haven't. Ok, I'll see where this info leads. | 01:08 |
wgrant | The certificate configuration of login.ubuntu.com and login.launchpad.net is identical apart from the obvious hostname difference. | 01:08 |
wgrant | There is no difference in the chain. | 01:08 |
wgrant | So if one works but the other doesn't, the certificate change is probably unrelated. | 01:08 |
wgrant | I've tried several other consumers with login.launchpad.net, and they work fine -- even other StackExchange sites. | 01:09 |
wgrant | Evgeny: How exactly is that button configured? | 01:09 |
Evgeny | wgrant: using python-openid and https://login.launchpad.net/ as endpoint | 01:10 |
wgrant | Oh, that's not StackExchange, oops. | 01:10 |
wgrant | Hmm | 01:10 |
wgrant | Evgeny: I'd step through python-openid and see where it fails. | 01:10 |
wgrant | But changing login.launchpad.net to login.ubuntu.com works fine? | 01:11 |
wgrant | Is it possible you have a firewall in place with out of date IP addresses? | 01:11 |
Evgeny | wgrant: Yes, login.ubuntu.com works and the id's are the same | 01:11 |
Evgeny | no, it's on a public net | 01:12 |
Evgeny | Is there a quick way to verify that the certificate has all the bundle set up? | 01:12 |
wgrant | The chains on both sites are identical and correct. | 01:12 |
Evgeny | It could be that the python-openid can't verify the certificate | 01:12 |
Evgeny | ok | 01:12 |
wgrant | Evgeny: You'll need to convince python-openid to give you a better error. | 01:13 |
reed | wgrant, just adding more food for thought: "Server denied check_authentication" https://bugs.launchpad.net/openstack-community/+bug/1406202/comments/1 | 01:14 |
ubot5 | Launchpad bug 1406202 in OpenStack Community Project "Can't login to ASK OpenStack: OpenID https://login.launchpad.net/ is invalid" [Critical,Confirmed] | 01:14 |
Evgeny | wgrant, yes I'll look into this, thanks. | 01:14 |
reed | unfortunately I have to go now ... :) | 01:14 |
reed | i'll check the logs later | 01:15 |
wgrant | FWIW we have dozens of internal apps using python-openid to authenticate against https://login.launchpad.net/, so it's not a general problem. | 01:15 |
wgrant | But it's possibly an issue with the statless vs. stateful mode. | 01:16 |
wgrant | We ran into a bug with python-openid years ago, IIRC, where stateless requests on login.launchpad.net were failing because the GET string got too long and it fell back to POST, which failed, or something. | 01:17 |
wgrant | It was a long time ago and I forget the details and the fix. | 01:17 |
wgrant | (it only broke on login.launchpad.net because "launchpad" is slightly longer than "ubuntu") | 01:17 |
wgrant | Aha | 01:18 |
wgrant | https://bugs.launchpad.net/launchpad/+bug/676372 | 01:18 |
ubot5 | Launchpad bug 676372 in Launchpad itself ""Server denied check_authentication" from bazaar.launchpad.net private branch since 11926 deployed" [Critical,Fix released] | 01:18 |
wgrant | https://bugs.launchpad.net/launchpad/+bug/676372/comments/5 was what I was thinking of | 01:18 |
wgrant | Huh, different error now | 01:28 |
wgrant | "OpenID https://login.launchpad.net/ is invalid: Error fetching XRDS document:" | 01:28 |
wgrant | Is someone hacking the code live? | 01:28 |
wgrant | I hope so, or you have an XSS hole :P | 01:30 |
wgrant | "No route to host", anyway | 01:31 |
wgrant | That really sounds a bit like a network/DNS issue at ask.openstack.org's end. | 01:31 |
Evgeny | yes, I've just made it print wholly | 01:35 |
Evgeny | wgrant: ping login.launchpad.net give "destination unreachable" from that host | 01:35 |
wgrant | Evgeny: What does it resolve to? | 01:35 |
wgrant | It moved to a new network a couple of weeks ago. | 01:35 |
Evgeny | wgrant: 91.189.93.244 | 01:36 |
wgrant | erm | 01:36 |
wgrant | Check your /etc/hosts :) | 01:36 |
wgrant | Should be on 162.213.32.0/22 somewhere | 01:36 |
Evgeny | bingo! Thanks! | 01:37 |
wgrant | Heh, any idea how it ended up manually set? | 01:37 |
wgrant | Ooh it even works now. | 01:37 |
Evgeny | I've done it myself before, I think there were issues on massive dns queries if I remember correctly | 01:38 |
Evgeny | maybe I've overdone the /etc/hosts file | 01:38 |
wgrant | Perhaps have a local caching resolver, but hardcoding things in /etc/hosts is only going to bring you pain as things move around. | 01:38 |
Evgeny | wgrant: Thank you, mystery solved. Bye. | 01:41 |
wgrant | Excellent. | 01:41 |
Evgeny | thanks for the advice | 01:42 |
=== JoseeAntonioR is now known as jose |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!