| teward | wgrant: yeah, it helps if the system gave an OOPS ID - it got a red "Sorry, there was a timeout try again" message, no OOPS ID | 00:50 |
|---|---|---|
| teward | looked like it resolved itself though | 00:50 |
| Evgeny | Hello! Anyone here to ask about the Launchpad OpenID authentication? | 00:55 |
| Evgeny | had something changed in the OpenID setup on login.launchpad.net? | 00:56 |
| wgrant | Evgeny: That's not technically part of Launchpad, but I may be able to help. What's the problem? | 01:02 |
| wgrant | Nothing has changed recently. | 01:02 |
| Evgeny | wgrant: Thank you, we have LP openid authentication incorporated into ask.openstack.org | 01:03 |
| Evgeny | wgrant: which worked in the past, now we are getting "DiscoveryFailure" exception from the python openid library. | 01:04 |
| Evgeny | openid https://login.ubuntu.com/ works | 01:04 |
| wgrant | Evgeny: Ah, the certificate was changed a week ago. | 01:04 |
| Evgeny | wgrant: thanks, what does this mean to the admin of the site providing login via LP? | 01:05 |
| wgrant | Evgeny: Nothing at all if you are using any normal client. | 01:05 |
| wgrant | When did you first observe the breakage? | 01:06 |
| Evgeny | wgrant: I'd think this week | 01:06 |
| Evgeny | wgrant: rather within past week | 01:06 |
| Evgeny | wgrant: which certificate changed? | 01:07 |
| wgrant | Evgeny: Have you contacted StackExchange about this? | 01:07 |
| Evgeny | wgrant: ssl? | 01:07 |
| wgrant | SSL, yes. | 01:07 |
| Evgeny | wgrant: no, I haven't. Ok, I'll see where this info leads. | 01:08 |
| wgrant | The certificate configuration of login.ubuntu.com and login.launchpad.net is identical apart from the obvious hostname difference. | 01:08 |
| wgrant | There is no difference in the chain. | 01:08 |
| wgrant | So if one works but the other doesn't, the certificate change is probably unrelated. | 01:08 |
| wgrant | I've tried several other consumers with login.launchpad.net, and they work fine -- even other StackExchange sites. | 01:09 |
| wgrant | Evgeny: How exactly is that button configured? | 01:09 |
| Evgeny | wgrant: using python-openid and https://login.launchpad.net/ as endpoint | 01:10 |
| wgrant | Oh, that's not StackExchange, oops. | 01:10 |
| wgrant | Hmm | 01:10 |
| wgrant | Evgeny: I'd step through python-openid and see where it fails. | 01:10 |
| wgrant | But changing login.launchpad.net to login.ubuntu.com works fine? | 01:11 |
| wgrant | Is it possible you have a firewall in place with out of date IP addresses? | 01:11 |
| Evgeny | wgrant: Yes, login.ubuntu.com works and the id's are the same | 01:11 |
| Evgeny | no, it's on a public net | 01:12 |
| Evgeny | Is there a quick way to verify that the certificate has all the bundle set up? | 01:12 |
| wgrant | The chains on both sites are identical and correct. | 01:12 |
| Evgeny | It could be that the python-openid can't verify the certificate | 01:12 |
| Evgeny | ok | 01:12 |
| wgrant | Evgeny: You'll need to convince python-openid to give you a better error. | 01:13 |
| reed | wgrant, just adding more food for thought: "Server denied check_authentication" https://bugs.launchpad.net/openstack-community/+bug/1406202/comments/1 | 01:14 |
| ubot5 | Launchpad bug 1406202 in OpenStack Community Project "Can't login to ASK OpenStack: OpenID https://login.launchpad.net/ is invalid" [Critical,Confirmed] | 01:14 |
| Evgeny | wgrant, yes I'll look into this, thanks. | 01:14 |
| reed | unfortunately I have to go now ... :) | 01:14 |
| reed | i'll check the logs later | 01:15 |
| wgrant | FWIW we have dozens of internal apps using python-openid to authenticate against https://login.launchpad.net/, so it's not a general problem. | 01:15 |
| wgrant | But it's possibly an issue with the statless vs. stateful mode. | 01:16 |
| wgrant | We ran into a bug with python-openid years ago, IIRC, where stateless requests on login.launchpad.net were failing because the GET string got too long and it fell back to POST, which failed, or something. | 01:17 |
| wgrant | It was a long time ago and I forget the details and the fix. | 01:17 |
| wgrant | (it only broke on login.launchpad.net because "launchpad" is slightly longer than "ubuntu") | 01:17 |
| wgrant | Aha | 01:18 |
| wgrant | https://bugs.launchpad.net/launchpad/+bug/676372 | 01:18 |
| ubot5 | Launchpad bug 676372 in Launchpad itself ""Server denied check_authentication" from bazaar.launchpad.net private branch since 11926 deployed" [Critical,Fix released] | 01:18 |
| wgrant | https://bugs.launchpad.net/launchpad/+bug/676372/comments/5 was what I was thinking of | 01:18 |
| wgrant | Huh, different error now | 01:28 |
| wgrant | "OpenID https://login.launchpad.net/ is invalid: Error fetching XRDS document:" | 01:28 |
| wgrant | Is someone hacking the code live? | 01:28 |
| wgrant | I hope so, or you have an XSS hole :P | 01:30 |
| wgrant | "No route to host", anyway | 01:31 |
| wgrant | That really sounds a bit like a network/DNS issue at ask.openstack.org's end. | 01:31 |
| Evgeny | yes, I've just made it print wholly | 01:35 |
| Evgeny | wgrant: ping login.launchpad.net give "destination unreachable" from that host | 01:35 |
| wgrant | Evgeny: What does it resolve to? | 01:35 |
| wgrant | It moved to a new network a couple of weeks ago. | 01:35 |
| Evgeny | wgrant: 91.189.93.244 | 01:36 |
| wgrant | erm | 01:36 |
| wgrant | Check your /etc/hosts :) | 01:36 |
| wgrant | Should be on 162.213.32.0/22 somewhere | 01:36 |
| Evgeny | bingo! Thanks! | 01:37 |
| wgrant | Heh, any idea how it ended up manually set? | 01:37 |
| wgrant | Ooh it even works now. | 01:37 |
| Evgeny | I've done it myself before, I think there were issues on massive dns queries if I remember correctly | 01:38 |
| Evgeny | maybe I've overdone the /etc/hosts file | 01:38 |
| wgrant | Perhaps have a local caching resolver, but hardcoding things in /etc/hosts is only going to bring you pain as things move around. | 01:38 |
| Evgeny | wgrant: Thank you, mystery solved. Bye. | 01:41 |
| wgrant | Excellent. | 01:41 |
| Evgeny | thanks for the advice | 01:42 |
| === JoseeAntonioR is now known as jose | ||
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!