pro client times out when setting an https_proxy that uses HTTPS itself

Please make this a high priority. This is tied to the purchase of a support subscription by the end of the year.

Is it possible to get someone to look into this? Customer will not sign Order Form until they know this will work. 400 servers

Status changed to 'Confirmed' because the bug affects multiple users.

bump

We're hitting this upstream bug[1], it seems python modules(urllib, urllib3, requests) do not support to tunnel one TLS connection through another TLS connection.

and HTTP CONNECT was designed on HTTP, so not sure if HTTP CONNECT can work well over HTTPS as well.

One workaround is to use an HTTP proxy instead of HTTPS proxy, since HTTPS is encrypted end-to-end, the HTTPS traffic over HTTP TUNNEL is also secure.

[1] https://bugs.python.org/issue29610

Hi David,
Due to the shutdown phase this got no responses yet, sorry.
There will be more people looking after it later.

But until then as a start of the discussion the settings of proxies is done slightly different to what you've reported. As [1] shows, or better the recently improved proxy docs [2] that can be seen here already [3] - you need key=value to set config values.

In addition you said "times out and fails", but could you show what exactly happens?
You usually get meaningful error messages which might help in this case.
Either to clarify the problem or to identify a case that needs a better error message.
Example
$ sudo pro config set http_proxy=http://host:port
"http://host:port" is not a valid url. Not setting as proxy.
$ sudo pro config set http_proxy=http://foo.bar:3128
"http://foo.bar:3128" is not working. Not setting as proxy.

Using a working real proxy I was able to set this just fine for me, example:
$ sudo pro config set http_proxy=http://squid.internal:3128
Setting snap proxy
Setting Livepatch proxy
$ sudo pro config set https_proxy=https://squid.internal:3128
Setting snap proxy
Setting Livepatch proxy

So could you please retest this command as documented and shown here and then report back the full output and behavior.

P.S. Thanks Hua Zhang, I have indeed seen that problem in other cases (not related to pro) and it was a valid workaround there. Not sure yet if it is here, I want to understand the original problem better to conclude.

Setting to incomplete until details are clarified.

[1]: https://canonical-ubuntu-advantage-client.readthedocs-hosted.com/en/latest/howtoguides/configure_proxies.html
[2]: https://github.com/canonical/ubuntu-advantage-client/commit/508db0f80664cb9dca78d7ea63e5736c004dc67f
[3]: https://github.com/canonical/ubuntu-advantage-client/blob/main/docs/howtoguides/configure_proxies.md

I've got access to the commands used and have got the answers I wanted, updating the description ...

Hi,
we'd like to gather some more info to properly prioritize this.
As far as it is analyzed by the team behind the pro tool - and gladly Hua Zhang came to the same conclusion in comment #5 - it is due to the python libs that do not support tls over tls-proxy.

From the experiments that we have done, we might be able to use urllib3 (and there is even some different between the package and pypi) instead of urllib, but even that only has that support back to Bionic. For Xenial (these tools are meant to work the same everywhere) there needs to be a different solution.
But then, we don't know all about the setup used - so mileage might vary.
AFAIU Hua Zhang he found none of the libs working for his setup.

Given that the solution seems messy and that there is a workaround provided we'd like to ask the if the workaround provided using an http proxy for https work for you?
If not, why not?
You said this is happening on a proxy where TLS terminated. So if you are terminating it there anyway at least some possible arguments against using http to connect to the proxy should be non-critical as well.

To re-state, for the example reported in the bug, that workaround would use:
  $ pro config set https_proxy=http://foo:<email address hidden>:443

And furthermore for testing, if you are using squid or something else in the Ubuntu Archive.
Would someone mind summarizing the configuration so this case can be reproduced outside of your environment?

Especially in terms of terminology I'd ask everyone to refer to a case described in [1] and use the terms used there. Use it for what you currently use as well as for what you want to achieve.
Only then we all really talk about the same thing.

Only then we can properly decide if:
1. That is an edge/unwanted use case or something very common and reasonable
2. Properly test whatever solution we ever come up with

Until then this can only be a whishlist item.

P.S. @Hua Zhang
1. I've heard that you had some success with curl [2] and derived from that pycurl.
I've checked and pycurl is in main at least. But again - considering back to xenial only at 7.43.0-1ubuntu1 - and being a wrapper around libcurl that also has isn't recent enough as curl itself is at 7.47.0-1ubuntu2 but it needs 7.52.
2. You have tested this, so do you happen to know what kind exactly the proxy is set up and maybe how it could be reproduced with in-archive components? If so we'd be happy if you could summarize that here.

[1]: https://wiki.squid-cache.org/Features/HTTPS.html
[2]: https://curl.se/libcurl/c/CURLOPT_PROXY.html

Due to confusion that came up in chat, let me document some clarifications

What was tried:
  $ pro config set https_proxy=https://foo:<email address hidden>:443
What should be tried:
  $ pro config set https_proxy=http://foo:<email address hidden>:443
Mind the lack of "s" in the second case on the right side.

Furthermore this is already an uncommon setup.
Port 443 is https itself, a proxy usually resides on :3128.

And just to re-iterate - please try to answer all the questions I had and not just one of them.
Especially on the usual "does it work? why not?" do not just reply "no".
Have seen it too often, want to prevent it before it happens :-)

Adding to the background, the customer has business and technical reasons for the use of an HTTPS-based proxy for HTTPS URLs:

1) All communication that we leverage needs to be encrypted, and secured in any meaningful way necessary. A plain HTTP proxy would expose target URLs and proxy credentials.

2) The proxy aggregates traffic from multiple customers of their products and services, avoiding the need for each customer to manage their own whitelists.

3) Attempting to address this by squid config is not possible, as the TLS termination here is on a load balancer in front of the squid proxy. Squid is unaware that the initial proxy connection used TLS.

For those reasons, the workaround of using a plain HTTP-based proxy is not possible, nor is direct use of HTTPS to target URLs.

Thanks,
Dave
Canonical Support

Hey @paelzer, reply to your comment #8

I created an HTTPS-based proxy for testing using the following methods.

openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -out ca.crt -keyout ca.key -subj "/C=CN/ST=BJ/O=STS/CN=CA"
DOMAIN=quqi.com
openssl genrsa -out $DOMAIN.key
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr -subj "/C=CN/ST=BJ/O=STS/CN=$DOMAIN"
openssl x509 -req -in $DOMAIN.csr -out $DOMAIN.crt -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650

sudo apt-get install openssl libssl-dev ssl-cert squid-openssl -y

$ cat /etc/squid/squid.conf
#htpasswd -c /etc/squid/passwd quqi99
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwd
acl auth_user proxy_auth REQUIRED
http_access allow auth_user
http_access allow all
via off
forwarded_for delete
http_port 127.0.0.1:3128
https_port 127.0.0.1:3129 cert=/etc/squid/cert/quqi.com.crt key=/etc/squid/cert/quqi.com.key

Of course, the customer did not use squid to create an HTTPS-based proxy, they just used an HTTP-based proxy, but they have TLS terminated NLB in front of squid, so the traffic getting to the actual squid instance is unencrypted between the NLB and the ec2 instance. I don't spend time researching how NLB is set up, because whether it has NLB or not, it's an HTTPS-based proxy, so I just used squid for a quick HTTPS-based proxy testing env.

Then we can easily reproduce the problem with urllib, urllib3, requests, nodejs and java

1, urllib version - https://paste.ubuntu.com/p/WPkBKwKKVX/
2, urllib3 version - https://paste.ubuntu.com/p/Pjxq7h8pJ9/
   urllib3 version throws ProxySchemeUnsupported, ProxySchemeUnsupported means tls-over-tls is not supported.
3, requests version - https://paste.ubuntu.com/p/82zMNjdtz7/
   requests version throws ProxySchemeUnsupported as well, TLS in TLS requires support for the 'ssl' module
4, I also tried nodejs and java versions, they don't work, but I don't record test program

However, using curl always works, eg:

1, test http port 3128, it works

$ curl -x http://quqi99:password@127.0.0.1:3128 https://api.snapcraft.io
snapcraft.io store API service - Copyright 2018-2022 Canonical.

2, test https port 3129, it works as well

$ curl --resolve quqi.com:3129:127.0.0.1 --proxy-cacert /etc/squid/cert/ca.crt -x https://quqi99:<email address hidden>:3129 https://api.snapcraft.io
snapcraft.io store API service - Copyright 2018-2022 Canonical.

so then I tested pycurl, and it worked well as well - https://paste.ubuntu.com/p/j6TPBwSC69/

then I found an upstream bug[1]. Normally, the client will use HTTP CONNECT to set up HTTP TUNNEL between the client and proxy, then the proxy set up TCP TUNNEL between the proxy and target, and the tls/https traffic from the client to target will go through these two TUNNELS(HTTP TUNNEL + TCP TUNNEL). but now it seems all python modules(urllib, urllib3, requests) do not support to tunnel one tls/https connection through another tls/https connection. curl doesn't use the python SSL module, the SSL module it is using may support tls-over-tls feature so it works, and curl supports tls over tls since 7.52.0 according to the page - https://curl.se/libcurl/c/CURLOPT_PROXY.html

That's all my f...

So it looks like ssl.SSLContext.wrap_socket() in python is causing the issue?

Bug report: https://bugs.python.org/issue29394

Suggestion is to use: ssl.SSLContext.wrap_bio()

My be more than just changing out a method call. What do you guys think on fixing or possible workaround?

Hey @johnfuqua, I try bio version, it doesn't work as well.

I borrow a piece of a bio code from [2], here's my complete bio test code [1].

Although my bio test did not succeed, I still believe that's because python's wrap_socket doesn't support tls-over-tls, so the idea in my mind is:

1, need to bypass wrap_socket and implement another wrap method (eg: wrap_ssl_socket) with openssl to be able to wrap ssl_socket instead of non-ssl socket, this seems very difficult.

2, or use a third-party solution, eg: pycurl, I'm not sure whether more third-party python libraries have implemented tls-over-tls feature.

[1] https://paste.ubuntu.com/p/NTqWKWGphj/plain/
[2] https://raw.githubusercontent.com/python-trio/trio/master/notes-to-self/ssl-handshake/ssl-handshake.py

Hey, we think this is not a bug unless you consider it a bug in urllib.
For the pro client this is a feature request.

We are currently planning, evaluating options and outlining details to hopefully be able to commit to work on it next cycle (23.10), but this will take time so I wanted to make you aware.

If there are further insights or suggestions from SEG or Field we are happy to know and invited Hua, John and David to the specification of that feature.

I found this page [1], and it said tlslite-ng had implemented tls-over-tls feature, I tested it and it did work. So maybe we can use it in ubuntu-advantage-client for a combination of https proxy and https target.

$ python3 tlsliteclient.py
HTTP/1.0 200 Connection Established
HTTP/1.1 200 OK
server: gunicorn/20.0.4
date: Fri, 13 Jan 2023 07:28:59 GMT
content-type: text/html; charset=utf-8
content-length: 64
snap-store-version: 52
x-view-name: snapdevicegw.webapi.root
x-vcs-revision: bf69cb87
x-request-id: 0AAC4128E3420A8325F301BB63C1083B15A0F9BD

$ cat tlsliteclient.py
#!/usr/bin/env python
# coding=utf-8
import tlslite, ssl, socket
sock = tlslite.TLSConnection(socket.create_connection(('127.0.0.1', 7070)))
sock.handshakeClientCert()
sock.sendall(bytes('CONNECT api.snapcraft.io:443 HTTP/1.1\r\nHost: api.snapcraft.io:443\r\n\r\n', 'ascii'))
print(sock.recv(1024).decode());
conn = tlslite.TLSConnection(sock)
conn.handshakeClientCert()
conn.sendall(b'GET / HTTP/1.1\r\nHost: api.snapcraft.io\r\n\r\n')
print(conn.recv(1024).decode())

[1] https://github.com/urllib3/urllib3/pull/1121#issuecomment-281686973

This bug was fixed in the package ubuntu-advantage-tools - 29

---------------
ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 31 Jul 2023 15:46:23 +0000

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.3~23.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.3~22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.3~20.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.3~18.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.3~16.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.4~23.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.4~22.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.4~20.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.4~18.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello David, or anyone else affected,

Accepted ubuntu-advantage-tools into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ubuntu-advantage-tools/29.4~16.04 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

We have run the full ubuntu-advantage-tools integration test suite against the version in -proposed. The results are attached (Please look for the "Support HTTPS-in-HTTPS proxies" test scenario).

You can verify the correct version was used by checking the output of the first test in each file, which prints the version number as well as the output of `apt-cache policy ubuntu-advantage-tools`.

I am marking the verification done for this SRU.

This bug was fixed in the package ubuntu-advantage-tools - 29.4~23.04

---------------
ubuntu-advantage-tools (29.4~23.04) lunar; urgency=medium

  * Backport new upstream release: (LP: #2029144) to lunar

ubuntu-advantage-tools (29.4) mantic; urgency=medium

  * esm: remove static config file that pin packages from esm-infra
    and esm-apps

ubuntu-advantage-tools (29.3) mantic; urgency=medium

  * api: fix circular import that prevents enabled_services
    endpoint from being imported

ubuntu-advantage-tools (29.2) mantic; urgency=medium

  * d/ubuntu-advantage-tools.postinst:
    - replace deb-systemd-invoke back to systemctl
  * proxy: alert user if ca-certificates is not installed when using
    a TLS-in-TLS proxy

ubuntu-advantage-tools (29.1) mantic; urgency=medium

  * anbox: allow enabling service on container using the --access-only flag

ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 11 Sep 2023 12:28:34 -0300

The verification of the Stable Release Update for ubuntu-advantage-tools has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package ubuntu-advantage-tools - 29.4~22.04

---------------
ubuntu-advantage-tools (29.4~22.04) jammy; urgency=medium

  * Backport new upstream release: (LP: #2029144) to jammy

ubuntu-advantage-tools (29.4) mantic; urgency=medium

  * esm: remove static config file that pin packages from esm-infra
    and esm-apps

ubuntu-advantage-tools (29.3) mantic; urgency=medium

  * api: fix circular import that prevents enabled_services
    endpoint from being imported

ubuntu-advantage-tools (29.2) mantic; urgency=medium

  * d/ubuntu-advantage-tools.postinst:
    - replace deb-systemd-invoke back to systemctl
  * proxy: alert user if ca-certificates is not installed when using
    a TLS-in-TLS proxy

ubuntu-advantage-tools (29.1) mantic; urgency=medium

  * anbox: allow enabling service on container using the --access-only flag

ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 11 Sep 2023 12:28:29 -0300

This bug was fixed in the package ubuntu-advantage-tools - 29.4~20.04

---------------
ubuntu-advantage-tools (29.4~20.04) focal; urgency=medium

  * Backport new upstream release: (LP: #2029144) to focal

ubuntu-advantage-tools (29.4) mantic; urgency=medium

  * esm: remove static config file that pin packages from esm-infra
    and esm-apps

ubuntu-advantage-tools (29.3) mantic; urgency=medium

  * api: fix circular import that prevents enabled_services
    endpoint from being imported

ubuntu-advantage-tools (29.2) mantic; urgency=medium

  * d/ubuntu-advantage-tools.postinst:
    - replace deb-systemd-invoke back to systemctl
  * proxy: alert user if ca-certificates is not installed when using
    a TLS-in-TLS proxy

ubuntu-advantage-tools (29.1) mantic; urgency=medium

  * anbox: allow enabling service on container using the --access-only flag

ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 11 Sep 2023 12:28:24 -0300

This bug was fixed in the package ubuntu-advantage-tools - 29.4~18.04

---------------
ubuntu-advantage-tools (29.4~18.04) bionic; urgency=medium

  * Backport new upstream release: (LP: #2029144) to bionic

ubuntu-advantage-tools (29.4) mantic; urgency=medium

  * esm: remove static config file that pin packages from esm-infra
    and esm-apps

ubuntu-advantage-tools (29.3) mantic; urgency=medium

  * api: fix circular import that prevents enabled_services
    endpoint from being imported

ubuntu-advantage-tools (29.2) mantic; urgency=medium

  * d/ubuntu-advantage-tools.postinst:
    - replace deb-systemd-invoke back to systemctl
  * proxy: alert user if ca-certificates is not installed when using
    a TLS-in-TLS proxy

ubuntu-advantage-tools (29.1) mantic; urgency=medium

  * anbox: allow enabling service on container using the --access-only flag

ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 11 Sep 2023 12:28:19 -0300

This bug was fixed in the package ubuntu-advantage-tools - 29.4~16.04

---------------
ubuntu-advantage-tools (29.4~16.04) xenial; urgency=medium

  * Backport new upstream release: (LP: #2029144) to xenial

ubuntu-advantage-tools (29.4) mantic; urgency=medium

  * esm: remove static config file that pin packages from esm-infra
    and esm-apps

ubuntu-advantage-tools (29.3) mantic; urgency=medium

  * api: fix circular import that prevents enabled_services
    endpoint from being imported

ubuntu-advantage-tools (29.2) mantic; urgency=medium

  * d/ubuntu-advantage-tools.postinst:
    - replace deb-systemd-invoke back to systemctl
  * proxy: alert user if ca-certificates is not installed when using
    a TLS-in-TLS proxy

ubuntu-advantage-tools (29.1) mantic; urgency=medium

  * anbox: allow enabling service on container using the --access-only flag

ubuntu-advantage-tools (29) mantic; urgency=medium

  * d/control:
    - update links for the project github page
  * d/copyright:
    - bump date to 2023
    - update upstream-name and source
  * d/ubuntu-advantage-tools.{postinst,postrm}:
    - rename repo GPG keys from -advantage to -pro (GH: #1539)
    - replace calls to systemctl for deb-systemd-invoke
  * d/README.source:
    - add file with basic explanation on the source code (GH: #2463)
  * New upstream release 29 (LP: #2029144)
    - anbox-cloud: add support for service
    - api
      + new endpoint: u.pro.security.fix.plan.cve.v1
      + new endpoint: u.pro.security.fix.plan.usn.v1
      + new endpoint: u.apt_news.current_news.v1
      + add more data explaining the decision made for
        u.pro.security.status.reboot_required.v1 endpoint
    - contract:
      + send activityInfo after cli attach, enable and disable
      + start recording when the machine has attached to a Pro subscription
      + more reliable detection when running on a docker container
    - esm: create static files to pin packages from esm-infra and esm-apps with
      higher priority (GH: #2580)
    - fix: ignore non-USN items on related usns
    - landscape: add support for the service
    - logging: update to ubuntupro logging namespace
    - proxy: add support for TLS-in-TLS proxy (LP: #1999909)
    - snapd: look for the snapd package instead of the snap command
    - system: try/except logic to remove files and folders (LP: #2025731)

 -- Lucas Moura <email address hidden> Mon, 11 Sep 2023 12:28:13 -0300