[00:50] <teward> wgrant: yeah, it helps if the system gave an OOPS ID - it got a red "Sorry, there was a timeout try again" message, no OOPS ID
[00:50] <teward> looked like it resolved itself though
[00:55] <Evgeny> Hello! Anyone here to ask about the Launchpad OpenID authentication?
[00:56] <Evgeny> had something changed in the OpenID setup on login.launchpad.net?
[01:02] <wgrant> Evgeny: That's not technically part of Launchpad, but I may be able to help. What's the problem?
[01:02] <wgrant> Nothing has changed recently.
[01:03] <Evgeny> wgrant: Thank you, we have LP openid authentication incorporated into ask.openstack.org
[01:04] <Evgeny> wgrant: which worked in the past, now we are getting "DiscoveryFailure" exception from the python openid library.
[01:04] <Evgeny> openid https://login.ubuntu.com/ works
[01:04] <wgrant> Evgeny: Ah, the certificate was changed a week ago.
[01:05] <Evgeny> wgrant: thanks, what does this mean to the admin of the site providing login via LP?
[01:05] <wgrant> Evgeny: Nothing at all if you are using any normal client.
[01:06] <wgrant> When did you first observe the breakage?
[01:06] <Evgeny> wgrant: I'd think this week
[01:06] <Evgeny> wgrant: rather within past week
[01:07] <Evgeny> wgrant: which certificate changed?
[01:07] <wgrant> Evgeny: Have you contacted StackExchange about this?
[01:07] <Evgeny> wgrant: ssl?
[01:07] <wgrant> SSL, yes.
[01:08] <Evgeny> wgrant: no, I haven't. Ok, I'll see where this info leads.
[01:08] <wgrant> The certificate configuration of login.ubuntu.com and login.launchpad.net is identical apart from the obvious hostname difference.
[01:08] <wgrant> There is no difference in the chain.
[01:08] <wgrant> So if one works but the other doesn't, the certificate change is probably unrelated.
[01:09] <wgrant> I've tried several other consumers with login.launchpad.net, and they work fine -- even other StackExchange sites.
[01:09] <wgrant> Evgeny: How exactly is that button configured?
[01:10] <Evgeny> wgrant: using python-openid and https://login.launchpad.net/ as endpoint
[01:10] <wgrant> Oh, that's not StackExchange, oops.
[01:10] <wgrant> Hmm
[01:10] <wgrant> Evgeny: I'd step through python-openid and see where it fails.
[01:11] <wgrant> But changing login.launchpad.net to login.ubuntu.com works fine?
[01:11] <wgrant> Is it possible you have a firewall in place with out of date IP addresses?
[01:11] <Evgeny> wgrant: Yes, login.ubuntu.com works and the id's are the same
[01:12] <Evgeny> no, it's on a public net
[01:12] <Evgeny> Is there a quick way to verify that the certificate has all the bundle set up?
[01:12] <wgrant> The chains on both sites are identical and correct.
[01:12] <Evgeny> It could be that the python-openid can't verify the certificate
[01:12] <Evgeny> ok
[01:13] <wgrant> Evgeny: You'll need to convince python-openid to give you a better error.
[01:14] <reed> wgrant, just adding more food for thought: "Server denied check_authentication" https://bugs.launchpad.net/openstack-community/+bug/1406202/comments/1
[01:14] <Evgeny> wgrant, yes I'll look into this, thanks.
[01:14] <reed> unfortunately I have to go now ... :)
[01:15] <reed> i'll check the logs later
[01:15] <wgrant> FWIW we have dozens of internal apps using python-openid to authenticate against https://login.launchpad.net/, so it's not a general problem.
[01:16] <wgrant> But it's possibly an issue with the statless vs. stateful mode.
[01:17] <wgrant> We ran into a bug with python-openid years ago, IIRC, where stateless requests on login.launchpad.net were failing because the GET string got too long and it fell back to POST, which failed, or something.
[01:17] <wgrant> It was a long time ago and I forget the details and the fix.
[01:17] <wgrant> (it only broke on login.launchpad.net because "launchpad" is slightly longer than "ubuntu")
[01:18] <wgrant> Aha
[01:18] <wgrant> https://bugs.launchpad.net/launchpad/+bug/676372
[01:18] <wgrant> https://bugs.launchpad.net/launchpad/+bug/676372/comments/5 was what I was thinking of
[01:28] <wgrant> Huh, different error now
[01:28] <wgrant> "OpenID https://login.launchpad.net/ is invalid: Error fetching XRDS document:"
[01:28] <wgrant> Is someone hacking the code live?
[01:30] <wgrant> I hope so, or you have an XSS hole :P
[01:31] <wgrant> "No route to host", anyway
[01:31] <wgrant> That really sounds a bit like a network/DNS issue at ask.openstack.org's end.
[01:35] <Evgeny> yes, I've just made it print wholly
[01:35] <Evgeny> wgrant: ping login.launchpad.net give "destination unreachable" from that host
[01:35] <wgrant> Evgeny: What does it resolve to?
[01:35] <wgrant> It moved to a new network a couple of weeks ago.
[01:36] <Evgeny> wgrant: 91.189.93.244
[01:36] <wgrant> erm
[01:36] <wgrant> Check your /etc/hosts :)
[01:36] <wgrant> Should be on 162.213.32.0/22 somewhere
[01:37] <Evgeny> bingo! Thanks!
[01:37] <wgrant> Heh, any idea how it ended up manually set?
[01:37] <wgrant> Ooh it even works now.
[01:38] <Evgeny> I've done it myself before, I think there were issues on massive dns queries if I remember correctly
[01:38] <Evgeny> maybe I've overdone the /etc/hosts file
[01:38] <wgrant> Perhaps have a local caching resolver, but hardcoding things in /etc/hosts is only going to bring you pain as things move around.
[01:41] <Evgeny> wgrant: Thank you, mystery solved. Bye.
[01:41] <wgrant> Excellent.
[01:42] <Evgeny> thanks for the advice