[Bug 2147117] Re: [SRU] Workers return 500 when SSL is enabled

Matthew Ruffell 2147117 at bugs.launchpad.net
Wed Apr 15 00:03:06 UTC 2026 

** Changed in: gunicorn (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to octavia in Ubuntu.
https://bugs.launchpad.net/bugs/2147117

Title:
  [SRU] Workers return 500 when SSL is enabled

Status in gunicorn package in Ubuntu:
  Fix Released
Status in octavia package in Ubuntu:
  In Progress
Status in gunicorn source package in Noble:
  Fix Committed
Status in octavia source package in Noble:
  In Progress

Bug description:
  [ Impact ]

  * Gunicorn 20.1.0 uses the ssl.wrap_socket function, which was removed
  in python 3.11. Because noble ships python3.12 this means that
  enabling SSL causes an AttributeError on every connection, which
  gunicorn catches and returns a 500 code.

  * This issue causes the octavia amphora-agent to fail to start when building amphorae from the noble packages.
      - As a consequence it's currently not possible to build an octavia amphorae from noble packages.

  [ Test Plan ]

  1. Spawn a noble LXD container

  2. Install
      - python3-flask
      - gunicorn

  3. Create a minimal flask app

  bug.py
  ---------

  import flask
  app = flask.Flask(__name__)

  @app.route("/")
  def hello():
      return "hello\n"
  -----------

  4. Run app with gunicorn

  gunicorn -b 0.0.0.0:8080 bug:app

  5. Test with curl

  curl http://localhost:8080

  Expected Output
  ---------------
  hello
  ---------------

  6. Generate a self-signed certificate

  openssl req -x509 -newkey rsa:2048 -nodes \
    -keyout key.pem \
    -out cert.pem \
    -days 365 \
    -subj "/CN=localhost"

  7. Run app with gunicorn and SSL

  gunicorn -b 0.0.0.0:8080 bug:app --certfile ~/cert.pem --keyfile
  ~/key.pem

  8. Test with curl: `curl -k https://localhost:8080`

  Expected Output
  ---------------
  hello
  ---------------

  Actual Output
  -------------
  curl: (35) OpenSSL/3.0.13: error:0A00010B:SSL routines::wrong version number
  -------------

  In fact we're just serving a 500 error over regular http
  If we `curl http://localhost:8080`

  Actual Output
  -------------
  <html>
    <head>
      <title>Internal Server Error</title>
    </head>
    <body>
      <h1><p>Internal Server Error</p></h1>

    </body>
  </html>
  -------------

  [ Where problems could occur ]

  * This introduces a new setting which could require users to adjust
  their settings for SSL.

  * This change only touches the code paths where SSL is enabled, which
  already doesn't work.

  [ Other Info ]

  * This issue was fixed in gunicorn 21, which updated for python 3.11
  compatibility.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gunicorn/+bug/2147117/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list