SSL cert failure in connection after password change

[cderici]

Description

I stumbled upon this when I was trying to reproduce #998, might be related, I'm not sure.

If we try to connect after changing the password of a user (see reproduce steps), then we get the following SSL cert verification failure from the Juju api (might need a fix on juju side, not sure atm):

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1007)

Urgency

Casually reporting

Python-libjuju version

2.9

Juju version

2.9.47 (2.9 edge)

Reproduce / Test

# Bootstrap a 2.9 controller, then connect to it with the current user (i.e. `admin`) with the default cert.


$ python -m asyncio
>>> from juju import model
>>> m=model.Model()
>>> await m.connect()
>>>
exiting asyncio REPL...

# Connection works without any issues.

# Change the user password with `juju change-user-password`:

```sh
$ juju change-user-password
new password:
type new password again:
Your password has been changed.
caner@lithium:~/work/python-libjuju$ juju users
Controller: lxd292

Name    Display name  Access     Date created   Last connection
admin*  admin         superuser  2 minutes ago  just now

Do the same connection on the repl from above:

$ python -m asyncio
asyncio REPL 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] on linux
Use "await" directly instead of "asyncio.run()".
Type "help", "copyright", "credits" or "license" for more information.
>>> import asyncio
>>> from juju import model
>>> m=model.Model()
>>> await m.connect()
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 700, in urlopen
    httplib_response = self._make_request(
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 383, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 1017, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 411, in connect
    self.sock = ssl_wrap_socket(
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 453, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(sock, context, tls_in_tls)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 495, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock)
  File "/usr/lib/python3.10/ssl.py", line 513, in wrap_socket
    return self.sslsocket_class._create(
  File "/usr/lib/python3.10/ssl.py", line 1100, in _create
    self.do_handshake()
  File "/usr/lib/python3.10/ssl.py", line 1371, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1007)

[cderici]

This is because initially when a controller is bootstrapped the creds for the default user (admin) (including the generated password) is written into the accounts.yaml, and juju change-user-password removes the password field. So the SSL verification fails because the following line passes nothing:

python-libjuju/juju/client/connector.py

Line 185 in 2581b0c

password=account.get("password"),

[erik78se]

Why depend on the accounts.yaml file in the first place except from the initialization of the connection? This should be just some in-memory thing which would only be needed on first initialization of a connection ?

Also, considering when a client might have multiple accounts on the same client which I do all the time?