Show and Tell: New MAAS TLS feature

Today, Anton introduces the new MAAS TLS feature set. Please be sure to leave comments and questions below.

Here is a PDF copy of the presentation:

And here are before and after diagrams of the MAAS architecture, relevant to the TLS changes:



During the demo session I’ve encountered an issue with CLI failing to work with enabled TLS.

After further investigation I discovered that issue was related to anonymous access not using provided CA certs. The bug is already fixed but not released yet.

Current workaround:

  1. It works just fine if API key is provided
  2. You can add CA certs into your trusted root, then it should be picked up by CLI

I enabled TLS, and was able to get the maas login command to work using the API key workaround

I am now trying to use juju bootstrap with MAAS, and I am being presented with an error similar to the one that occurred in the maas login command:

juju bootstrap --bootstrap-series=focal --constraints tags=juju maas-one maas-controller

Installing Juju machine agent
2022-08-02 21:06:00 INFO juju.cmd supercommand.go:56 running jujud [2.9.32 917a8f1033561ce28a73ff81d71da75aec6e0785 gc go1.18.3]
ERROR Get “”: x509: certificate signed by unknown authority
ERROR failed to bootstrap model: subprocess encountered error code 1

Do you know a similar workaround for this? Does the unreleased bugfix resolve this issue?

For now I am going to attempt to follow this guide to add CA certs into the trusted root of the Juju server when it is initialized

When you run juju bootstrap it makes a call to MAAS API and since MAAS presents a self-signed certificate it fails to validate it.

Unfortunately right now it is impossible to pass CA certs to juju CLI, but adding CA to a trusted root should work.

Gotcha, I was able to successfully run juju bootstrap by creating a configuration file called juju-cloud-config.yml with the following contents:

cloudinit-userdata: |
            - |

I then ran:
juju bootstrap --bootstrap-series=focal --config=juju-cloud-config.yml --constraints tags=juju maas-one maas-controller

I believe this added the certification to the juju server during the bootstrap process, which allowed it to validate with the MAAS API

Post that helped me with this: