[Bug 2091103] Re: [SRU]: check_hostname requires server_hostname when using container_infra endpoint with HTTPS

Thu Dec 11 19:54:07 UTC 2025

Patch for python-magnumclient in Jammy Caracal in the UCA

** Patch added: "jammy-caracal-lp2091103.debdiff"
   https://bugs.launchpad.net/magnum/+bug/2091103/+attachment/5933009/+files/jammy-caracal-lp2091103.debdiff

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2091103

Title:
  [SRU]: check_hostname requires server_hostname when using
  container_infra endpoint with HTTPS

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive caracal series:
  New
Status in Ubuntu Cloud Archive dalmatian series:
  New
Status in Ubuntu Cloud Archive epoxy series:
  New
Status in Magnum:
  Invalid
Status in python-magnumclient:
  Fix Released
Status in python-magnumclient package in Ubuntu:
  Fix Released
Status in python-magnumclient source package in Noble:
  New
Status in python-magnumclient source package in Plucky:
  New
Status in python-magnumclient source package in Questing:
  Fix Released

Bug description:
  Note: Original description below

  [Impact]

  * On Jammy Caracal, when endpoints are configured with TLS, the Magnum
  UI does not display any information about deployed resources, although
  they are created and visible using the command-line client. The
  dashboard displays errors about connecting to the backend

  * This bug is introduced by a patch (d/p/0001-Update-
  VerifiedHTTPSConnection-for-Python-3.12.patch) [1], which was added to
  include Python 3.12 support by refactoring ssl context management but
  did not pass a server_hostname parameter to context.wrap_socket. This
  merged upstream during the Dalmatian cycle and was not backported to
  Caracal upstream. Therefore, upstream Caracal doesn't hit this bug,
  but also doesn't have the fix that properly supports Python 3.12. In
  any case, the patch [1] is included in the Ubuntu Cloud Archive for
  Jammy-Caracal, so our packages are affected.

  * The bug was fixed upstream in [2], which merged during the Epoxy
  cycle, and was backported to Dalmatian (but not upstream Caracal,
  since upstream Caracal doesn't have [1]). However, our Dalmatian and
  Epoxy packages don't have this fix. Therefore, the affected Ubuntu
  packages are the python-magnumclient shipped as a distro package for
  Noble and Plucky, and then for the Ubuntu Cloud Archive (UCA) the
  affected packages are python-magnumclient for Jammy Caracal, Noble
  Dalmatian, and Noble-Epoxy.

  [1] https://opendev.org/openstack/python-magnumclient/commit/83a10d4d49388fb680b450c728cd1e62d18e8672
  [2] https://opendev.org/openstack/python-magnumclient/commit/ecdcc0697cd53592b54078175001755169436761

  [Test Plan]

  * Deploy Openstack by any method. I will use juju

  * Deploy magnum services and setup relations

  juju deploy magnum --channel=2024.1/stable magnum
  juju relate magnum keystone
  juju relate magnum vault
  juju relate magnum:ampq rabbitmq-server:ampq
  juju relate magnum:shared-db magnum-mysql-router:shared-db

  juju deploy magnum-dashboard --channel=2024.1/stable magnum-dashboard
  juju relate magnum-dashboard keystone
  juju relate magnum-dashboard vault
  juju relate magnum-dashboard openstack-dashboard

  * Configure magnum
  juju run magnum/0 domain-setup

  * Open openstack dashboard, and go to the cluster management pane

  * See error message and that there's observability of any magnum
  resources without the patch

  * Upgrade to proposed, and see a properly populated dashboard

  [What can go wrong]

  * While this fixes an issue with SNI in TLS handshakes, it may not fix
  the problem in all environments. If SNI is not configured correctly or
  TLS certs are not distributed properly in the environment, the backend
  may remain unreachable from the dashboard

  ====================================
  Original description:

  Openstack: 2024.2
  Ubuntu: 22.04
  Deployment Tool: Kolla Ansible

  Steps to reproduce:
  From version 2024.2 of Magnum when using Horizon (navigate to Project->Container Infra->Cluster or Cluster Templates) "/api/container_infra/*" endpoints return 500 Internal Server Error "check_hostname requires server_hostname". Container Infra Endpoint is using HTTPS

  Horizon error log:
  error invoking apiclient
  Traceback (most recent call last):
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/openstack_dashboard/api/rest/utils.py", line 128, in _wrapped
      data = function(self, request, *args, **kw)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnum_ui/api/rest/magnum.py", line 302, in get
      result = magnum.cluster_list(request)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnum_ui/api/magnum.py", line 193, in cluster_list
      return magnumclient(request).clusters.list(limit, marker, sort_key,
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/v1/baseunit.py", line 82, in list
      return self._list(self._path(path), self.__class__.template_name)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/base.py", line 117, in _list
      resp, body = self.api.json_request('GET', url)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 240, in json_request
      resp, body_iter = self._http_request(url, method, **kwargs)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 187, in _http_request
      conn.request(method, conn_url, **kwargs)
    File "/usr/lib/python3.12/http/client.py", line 1336, in request
      self._send_request(method, url, body, headers, encode_chunked)
    File "/usr/lib/python3.12/http/client.py", line 1382, in _send_request
      self.endheaders(body, encode_chunked=encode_chunked)
    File "/usr/lib/python3.12/http/client.py", line 1331, in endheaders
      self._send_output(message_body, encode_chunked=encode_chunked)
    File "/usr/lib/python3.12/http/client.py", line 1091, in _send_output
      self.send(msg)
    File "/usr/lib/python3.12/http/client.py", line 1035, in send
      self.connect()
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 310, in connect
      self.sock = context.wrap_socket(sock)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.12/ssl.py", line 455, in wrap_socket
      return self.sslsocket_class._create(
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.12/ssl.py", line 970, in _create
      raise ValueError("check_hostname requires server_hostname")
  ValueError: check_hostname requires server_hostname
  Internal Server Error: /api/container_infra/clusters/

  After analysis the problem exists in python-magnumclient from version
  4.6.0 (https://opendev.org/openstack/python-
  magnumclient/commit/5d8fd3840052e07418e007f336deb99fd58b7e92)

  According to documentation when using check_hostname with CERT_REQUIRED you must also pass server_hostname to wrap_socket
  (Python 3.12 doc reference: https://docs.python.org/3.12/library/ssl.html#ssl.SSLContext.check_hostname

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2091103/+subscriptions