ERROR cert pool creation failed: cannot parse certificate

juju
1

I have a controller since long, that suddenly throws me an ERROR I can’t understand.

erik@frozen:~/allcode/layer-nextcloud$ juju status --debug 
11:39:11 INFO  juju.cmd supercommand.go:83 running juju [2.7.5  gc go1.10.4]
11:39:11 DEBUG juju.cmd supercommand.go:84   args: []string{"/snap/juju/11125/bin/juju", "status", "--debug"}
11:39:11 INFO  juju.juju api.go:67 connecting to API addresses: [192.168.2.12:17070]
11:39:11 INFO  juju.juju api.go:67 connecting to API addresses: [192.168.2.12:17070]
11:39:12 INFO  juju.juju api.go:67 connecting to API addresses: [192.168.2.12:17070]
11:39:12 INFO  juju.juju api.go:67 connecting to API addresses: [192.168.2.12:17070]
ERROR cert pool creation failed: cannot parse certificate "-----BEGIN CERTIFICATE-----\nMIIDrDCCApSgAwIBAgIUQWHGI1kQYRgRR5l/OJG2P+nZFxAwDQYJKoZIhvcNAQEL\nBQAwbjENMAsGA1UEChMEanVqdTEuMCwGA1UEAwwlanVqdS1nZW5lcmF0ZWQgQ0Eg\nZm9yIG1vZGVsICJqdWp1LWNhIjEtMCsGA1UEBRMkNWVjMGEzYzAtMjIxYS00NTBj\nLTg5NzAtODAxYmU1ZTFkYjg1MB4XDTE5MDEyMDA5MjI1NloXDTI5MDEyNzA5MjI1\nNlowbjENMAsGA1UEChMEanVqdTEuMCwGA1UEAwwlanVqdS1nZW5lcmF0ZWQgQ0Eg\nZm9yIG1vZGVsICJqdWp1LWNhIjEtMCsGA1UEBRMkNWVjMGEzYzAtMjIxYS00NTBj\nLTg5NzAtODAxYmU1ZTFkYjg1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAmeIs/P/WDrZR4XUHTIgc8z35p8D4lChAHniaTRV2RqqdW6FgwyII3EzVX/G8\nK4M19v1YKaMasFiwv5/bCASuhGBu3RZwZ29oAsLkb7harH8MVAJq4AHbfTENnBZ8\nQLY8nZlHfkdRTTwLlwQBPOA54qrVe5yBSVcZt7UxNW/p++C2cBpXlaaTLFsSjU1D\nrDA6izXt5wTx8JpWFeBvGUVEOEwxCK6MTyCBvtLDaUsG5qvDSdry+Bv910HL+fpl\nwoXjJCImsbqWqM5oLU5Rs1HnLzJD3SNv6fNLePVfvslGLpDPhHafEhtgaYl3oQAI\nnud5ZhvErRtOt9HZ5xVAzQMjrQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYD\nVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgkokSBvDZP2dv5hFLbsjac4esZEwDQYJ\nKoZIhvcNAQELBQADggEBAEAcD1Ewhq5gOXfF7MbezMonFneOU31XAcm9o6TcawUh\nc6Tjsd58aNEQSn0gHuU0ayxTQgk6xhZxp1jlG2ek7IqUsM3JlTFJyToPaQ5nhPX5\n7nBknoAAIV5Q8vi3EG9O5mSNpdAjD+CDm4TcJCWm6/Bb8aCA03JXOuBCr0P/+Lzx\nZpJEgSeTWHLoxU5hJ/Ia2VsgIwSCS45neXCkOVZwlEvo4LM52Epyg1FFjFBaga6n\n3tuHUqCd55cbYTPb6IWg3QSwzP/TB1x53z+Wx4mx3Bg=\n-----END CERTIFICATE-----\n": asn1: syntax error: data truncated
11:39:12 DEBUG cmd supercommand.go:519 error stack: 
asn1: syntax error: data truncated
/build/juju/parts/juju/go/src/github.com/juju/juju/api/certpool.go:30: cannot parse certificate "-----BEGIN CERTIFICATE-----\nMIIDrDCCApSgAwIBAgIUQWHGI1kQYRgRR5l/OJG2P+nZFxAwDQYJKoZIhvcNAQEL\nBQAwbjENMAsGA1UEChMEanVqdTEuMCwGA1UEAwwlanVqdS1nZW5lcmF0ZWQgQ0Eg\nZm9yIG1vZGVsICJqdWp1LWNhIjEtMCsGA1UEBRMkNWVjMGEzYzAtMjIxYS00NTBj\nLTg5NzAtODAxYmU1ZTFkYjg1MB4XDTE5MDEyMDA5MjI1NloXDTI5MDEyNzA5MjI1\nNlowbjENMAsGA1UEChMEanVqdTEuMCwGA1UEAwwlanVqdS1nZW5lcmF0ZWQgQ0Eg\nZm9yIG1vZGVsICJqdWp1LWNhIjEtMCsGA1UEBRMkNWVjMGEzYzAtMjIxYS00NTBj\nLTg5NzAtODAxYmU1ZTFkYjg1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAmeIs/P/WDrZR4XUHTIgc8z35p8D4lChAHniaTRV2RqqdW6FgwyII3EzVX/G8\nK4M19v1YKaMasFiwv5/bCASuhGBu3RZwZ29oAsLkb7harH8MVAJq4AHbfTENnBZ8\nQLY8nZlHfkdRTTwLlwQBPOA54qrVe5yBSVcZt7UxNW/p++C2cBpXlaaTLFsSjU1D\nrDA6izXt5wTx8JpWFeBvGUVEOEwxCK6MTyCBvtLDaUsG5qvDSdry+Bv910HL+fpl\nwoXjJCImsbqWqM5oLU5Rs1HnLzJD3SNv6fNLePVfvslGLpDPhHafEhtgaYl3oQAI\nnud5ZhvErRtOt9HZ5xVAzQMjrQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAqQwDwYD\nVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUgkokSBvDZP2dv5hFLbsjac4esZEwDQYJ\nKoZIhvcNAQELBQADggEBAEAcD1Ewhq5gOXfF7MbezMonFneOU31XAcm9o6TcawUh\nc6Tjsd58aNEQSn0gHuU0ayxTQgk6xhZxp1jlG2ek7IqUsM3JlTFJyToPaQ5nhPX5\n7nBknoAAIV5Q8vi3EG9O5mSNpdAjD+CDm4TcJCWm6/Bb8aCA03JXOuBCr0P/+Lzx\nZpJEgSeTWHLoxU5hJ/Ia2VsgIwSCS45neXCkOVZwlEvo4LM52Epyg1FFjFBaga6n\n3tuHUqCd55cbYTPb6IWg3QSwzP/TB1x53z+Wx4mx3Bg=\n-----END CERTIFICATE-----\n"
/build/juju/parts/juju/go/src/github.com/juju/juju/api/apiclient.go:583: cert pool creation failed
/build/juju/parts/juju/go/src/github.com/juju/juju/api/apiclient.go:207: 
/build/juju/parts/juju/go/src/github.com/juju/juju/juju/api.go:72: 
/build/juju/parts/juju/go/src/github.com/juju/juju/cmd/modelcmd/base.go:214: 
/build/juju/parts/juju/go/src/github.com/juju/juju/cmd/modelcmd/modelcommand.go:424: 
/build/juju/parts/juju/go/src/github.com/juju/juju/cmd/modelcmd/modelcommand.go:405: 
/build/juju/parts/juju/go/src/github.com/juju/juju/cmd/modelcmd/modelcommand.go:311: 
/build/juju/parts/juju/go/src/github.com/juju/juju/cmd/juju/status/status.go:199: 
/build/juju/parts/juju/go/src/github.com/juju/juju/cmd/juju/status/status.go:232: 
/build/juju/parts/juju/go/src/github.com/juju/juju/cmd/juju/status/status.go:274: 
erik@frozen:~/allcode/layer-nextcloud$

I can’t use my controller any more. Anyone that has some hints on what is going on here and should I submit a bug?

2

This seems related to this bug: https://github.com/openssl/openssl/issues/1381

So, I managed to get out this problem by:

  1. Remove the controller entry from ~/.local/share/juju/controller.yaml

  2. Then, re-login to the controller, at which point, the entry is being recreated with a working cert.

erik@frozen:~/.local/share/juju$ juju login -u admin 192.168.2.12:17070 -c snowflake-maas
Controller "192.168.2.12:17070" presented a CA cert that could not be verified.
CA fingerprint: [D7:69:FB:61:09:5D:50:EC:83:78:47:B8:F1:B8:76:AD:9D:CA:F8:D3:C3:38:73:72:29:29:A0:AB:02:6E:04:CA]
Trust remote controller? (y/N): y

Enter password: 

Welcome, admin. You are now logged into "snowflake-maas".

There are 4 models available. Use "juju switch" to select
one of them:
  - juju switch controller
3

That seems really weird - I’m glad you could get back into your controller!
I can see that the certificate mentioned in the logging is too short (by debugging parsing it with x509.ParseCertificate) but I don’t understand how it might have gotten like that, especially given that the one the controller gives you after the juju login works.

If you compare the working cert in controller.yaml with the one in the error message, is the bad one largely the same as the good one but missing some bytes? Or are they completely different?

1 Like