Page MenuHomeVyOS Platform

reverse-proxy doesn't check that a certificate exists at set time
Closed, ResolvedPublicBUG

Description

Add random cert name to the configuration of reverse-proxy:

set load-balancing reverse-proxy service http description 'Force redirect to HTTPS'
set load-balancing reverse-proxy service http port '80'
set load-balancing reverse-proxy service http redirect-http-to-https

set load-balancing reverse-proxy service https backend 'bk-default'
set load-balancing reverse-proxy service https description 'listen on 443 port'
set load-balancing reverse-proxy service https mode 'http'
set load-balancing reverse-proxy service https port '443'
set load-balancing reverse-proxy service https ssl certificate 'cert'

set load-balancing reverse-proxy service https rule 10 url-path exact '/.well-known/xxx'
set load-balancing reverse-proxy service https rule 10 set redirect-location '/certs/'
set load-balancing reverse-proxy service https rule 20 url-path end '/mail'
set load-balancing reverse-proxy service https rule 20 url-path exact '/email/bar'
set load-balancing reverse-proxy service https rule 20 set redirect-location '/postfix/'

set load-balancing reverse-proxy backend bk-default description 'Default backend'
set load-balancing reverse-proxy backend bk-default mode 'http'
set load-balancing reverse-proxy backend bk-default server sr01 address '192.0.2.23'
set load-balancing reverse-proxy backend bk-default server sr01 port '80'

set load-balancing reverse-proxy global-parameters max-connections '4000'
set load-balancing reverse-proxy global-parameters tls-version-min '1.3'

I don't have any PKI configuration, needs to check this case

vyos@r4# commit
[ load-balancing reverse-proxy ]
VyOS had an issue completing a command.

Report time:      2024-03-27 23:27:42
Image version:    VyOS 1.5-rolling-202403250019
Release train:    current

Built by:         autobuild@vyos.net
Built on:         Mon 25 Mar 2024 02:22 UTC
Build UUID:       84776b7b-9db0-4cf4-ac05-9a6fcf1e9128
Build commit ID:  e765407943321f

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (Q35 + ICH9, 2009)
Hardware S/N:     
Hardware UUID:    166cfd25-7d3a-4eca-9ef6-0b655c9acf0f

Traceback (most recent call last):
  File "/usr/libexec/vyos/conf_mode/load-balancing_reverse-proxy.py", line 162, in <module>
    generate(c)
  File "/usr/libexec/vyos/conf_mode/load-balancing_reverse-proxy.py", line 111, in generate
    pki_cert = lb['pki']['certificate'][cert_name]
               ~~~~~~~~~^^^^^^^^^^^^^^^
KeyError: 'certificate'



[[load-balancing]] failed
Commit failed
[edit]
vyos@r4#

Details

Version
VyOS 1.5-rolling-202403250019
Is it a breaking change?
Behavior change
Issue type
Bug (incorrect behavior)

Event Timeline

Viacheslav triaged this task as Normal priority.
Viacheslav moved this task from Open to Finished on the VyOS 1.5 Circinus board.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-epa3) board.
dmbaturin renamed this task from Reverse-proxy should check that certificate exists during commit to reverse-proxy doesn't check that a certificate exists at set time.May 11 2024, 5:28 PM
dmbaturin removed a project: VyOS 1.5 Circinus.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Behavior change.