[Bug 2091103] Re: [SRU]: check_hostname requires server_hostname when using container_infra endpoint with HTTPS

Launchpad Bug Tracker 2091103 at bugs.launchpad.net
Fri Dec 12 03:34:35 UTC 2025 

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: python-magnumclient (Ubuntu Plucky)
       Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2091103

Title:
  [SRU]: check_hostname requires server_hostname when using
  container_infra endpoint with HTTPS

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive caracal series:
  New
Status in Ubuntu Cloud Archive dalmatian series:
  New
Status in Ubuntu Cloud Archive epoxy series:
  New
Status in Magnum:
  Invalid
Status in python-magnumclient:
  Fix Released
Status in python-magnumclient package in Ubuntu:
  Fix Released
Status in python-magnumclient source package in Noble:
  Confirmed
Status in python-magnumclient source package in Plucky:
  Confirmed
Status in python-magnumclient source package in Questing:
  Fix Released

Bug description:
  Note: Original description below

  [Impact]

  * On Jammy Caracal, when endpoints are configured with TLS, the Magnum
  UI does not display any information about deployed resources, although
  they are created and visible using the command-line client. The
  dashboard displays errors about connecting to the backend

  * This bug is introduced by a patch (d/p/0001-Update-
  VerifiedHTTPSConnection-for-Python-3.12.patch) [1], which was added to
  include Python 3.12 support by refactoring ssl context management but
  did not pass a server_hostname parameter to context.wrap_socket. This
  merged upstream during the Dalmatian cycle and was not backported to
  Caracal upstream. Therefore, upstream Caracal doesn't hit this bug,
  but also doesn't have the fix that properly supports Python 3.12.
  Nevertheless, the patch [1] is included in the Ubuntu Cloud Archive
  for Jammy-Caracal and the distro package for Noble, so Ubuntu's
  Caracal packages are affected (distro and UCA).

  * This bug was fixed upstream in [2], which merged during the Epoxy
  cycle, and was backported to Dalmatian (but not upstream Caracal,
  since upstream Caracal doesn't have [1] and, therefore, isn't affected
  by this bug). However, Ubuntu's Dalmatian and Epoxy packages (both
  distro packages and UCA) don't have this fix.

  * Therefore, the affected Ubuntu packages are the python-magnumclient
  shipped as on Noble, Oracular (EOL) and Plucky, and then for the
  Ubuntu Cloud Archive (UCA) the affected packages are python-
  magnumclient for Jammy Caracal, Noble Dalmatian, and Noble-Epoxy.

  [1] https://opendev.org/openstack/python-magnumclient/commit/83a10d4d49388fb680b450c728cd1e62d18e8672
  [2] https://opendev.org/openstack/python-magnumclient/commit/ecdcc0697cd53592b54078175001755169436761

  [Test Plan]

  * Deploy Openstack by any method. I will use juju

  * Deploy magnum services and setup relations

  juju deploy magnum --channel=2024.1/stable magnum
  juju relate magnum keystone
  juju relate magnum vault
  juju relate magnum:ampq rabbitmq-server:ampq
  juju relate magnum:shared-db magnum-mysql-router:shared-db

  juju deploy magnum-dashboard --channel=2024.1/stable magnum-dashboard
  juju relate magnum-dashboard keystone
  juju relate magnum-dashboard vault
  juju relate magnum-dashboard openstack-dashboard

  * Configure magnum
  juju run magnum/0 domain-setup

  * Open openstack dashboard, and go to the cluster management pane

  * See error message and that there's observability of any magnum
  resources without the patch

  * Upgrade to proposed, and see a properly populated dashboard

  [What can go wrong]

  * While this fixes an issue with SNI in TLS handshakes, in
  environments where SNI is not configured correctly or TLS certs are
  not distributed properly, this patch may break the environment and
  expose those issues.

  ====================================
  Original description:

  Openstack: 2024.2
  Ubuntu: 22.04
  Deployment Tool: Kolla Ansible

  Steps to reproduce:
  From version 2024.2 of Magnum when using Horizon (navigate to Project->Container Infra->Cluster or Cluster Templates) "/api/container_infra/*" endpoints return 500 Internal Server Error "check_hostname requires server_hostname". Container Infra Endpoint is using HTTPS

  Horizon error log:
  error invoking apiclient
  Traceback (most recent call last):
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/openstack_dashboard/api/rest/utils.py", line 128, in _wrapped
      data = function(self, request, *args, **kw)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnum_ui/api/rest/magnum.py", line 302, in get
      result = magnum.cluster_list(request)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnum_ui/api/magnum.py", line 193, in cluster_list
      return magnumclient(request).clusters.list(limit, marker, sort_key,
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/v1/baseunit.py", line 82, in list
      return self._list(self._path(path), self.__class__.template_name)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/base.py", line 117, in _list
      resp, body = self.api.json_request('GET', url)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 240, in json_request
      resp, body_iter = self._http_request(url, method, **kwargs)
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 187, in _http_request
      conn.request(method, conn_url, **kwargs)
    File "/usr/lib/python3.12/http/client.py", line 1336, in request
      self._send_request(method, url, body, headers, encode_chunked)
    File "/usr/lib/python3.12/http/client.py", line 1382, in _send_request
      self.endheaders(body, encode_chunked=encode_chunked)
    File "/usr/lib/python3.12/http/client.py", line 1331, in endheaders
      self._send_output(message_body, encode_chunked=encode_chunked)
    File "/usr/lib/python3.12/http/client.py", line 1091, in _send_output
      self.send(msg)
    File "/usr/lib/python3.12/http/client.py", line 1035, in send
      self.connect()
    File "/var/lib/kolla/venv/lib/python3.12/site-packages/magnumclient/common/httpclient.py", line 310, in connect
      self.sock = context.wrap_socket(sock)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.12/ssl.py", line 455, in wrap_socket
      return self.sslsocket_class._create(
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3.12/ssl.py", line 970, in _create
      raise ValueError("check_hostname requires server_hostname")
  ValueError: check_hostname requires server_hostname
  Internal Server Error: /api/container_infra/clusters/

  After analysis the problem exists in python-magnumclient from version
  4.6.0 (https://opendev.org/openstack/python-
  magnumclient/commit/5d8fd3840052e07418e007f336deb99fd58b7e92)

  According to documentation when using check_hostname with CERT_REQUIRED you must also pass server_hostname to wrap_socket
  (Python 3.12 doc reference: https://docs.python.org/3.12/library/ssl.html#ssl.SSLContext.check_hostname

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2091103/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list