Opened 10 years ago
Closed 10 years ago
#42727 closed defect (fixed)
Server certificate verification failed: issuer is not trusted (https://svn.macports.org
| Reported by: | ryandesign (Ryan Carsten Schmidt) | Owned by: | wsiegrist@… |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | server/hosting | Version: | |
| Keywords: | Cc: | skarulkar@…, cooljeanius (Eric Gallager) | |
| Port: |
Description
The Lion, Mountain Lion and Mavericks buildslaves are failing all builds with:
svn: OPTIONS of 'https://svn.macports.org/repository/macports/contrib/mpab': Server certificate verification failed: issuer is not trusted (https://svn.macports.org)
The Snow Leopard buildslave is still working ok.
Are the three failing buildslaves using certsync? If so, see #42718.
Change History (11)
comment:1 Changed 10 years ago by ryandesign (Ryan Carsten Schmidt)
| Version: | 2.2.1 |
|---|
comment:2 Changed 10 years ago by jmroot (Joshua Root)
| Cc: | skarulkar@… added |
|---|
comment:3 Changed 10 years ago by ryandesign (Ryan Carsten Schmidt)
Could a server administrator perform this step on the three affected buildslaves, please?
comment:5 Changed 10 years ago by ryandesign (Ryan Carsten Schmidt)
I believe you just need to run any svn command on the MacPorts repository URL, i.e.:
/usr/bin/svn info https://svn.macports.org/repository/macports
This will prompt you whether you want to accept the certificate:
Error validating server certificate for 'https://svn.macports.org:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: *.macports.org - Valid: from Mon, 03 Mar 2014 20:37:03 GMT until Mon, 02 Mar 2015 01:19:52 GMT - Issuer: GlobalSign nv-sa, BE - Fingerprint: e6:bd:44:a5:29:e4:ef:ef:47:92:f1:6d:80:e6:48:98:30:30:dc:0b (R)eject, accept (t)emporarily or accept (p)ermanently?
Answer "p" to accept it permanently, and that should be it.
However, I'm not sure which user this task needs to be performed as. According to the buildbot log, the user trying to run the svn command is "buildbot", so maybe that's the user who needs to have the cert accepted:
sudo -u buildbot /usr/bin/svn info https://svn.macports.org/repository/macports
comment:6 follow-up: 7 Changed 10 years ago by ryandesign (Ryan Carsten Schmidt)
Shree responded by email:
Thanks Ryan. I ran the command on the three slaves and “accepted” the cert permanently. However, I saw some strange behavior. Not sure if this would be an issue though.
On "teneight-slave” and "tennine-slave"s the svn info runs fine when used with a “sudo”, however without sudo (user=local) it keeps prompting to take action with the new certificates, (reject, accept etc) every time you run the svn info command. Let me know what you think.
This hasn't helped yet; the buildslaves are still failing.
The previous log I referenced was for buildbase. I've just committed a port, which failed with the same message, but the log from buildports doesn't show a user, so I don't know what user it's running as.
comment:7 follow-ups: 8 10 Changed 10 years ago by jmroot (Joshua Root)
Replying to ryandesign@…:
I've just committed a port, which failed with the same message, but the log from buildports doesn't show a user, so I don't know what user it's running as.
Building ports runs as root so it can add users.
Both builders are using HOME=/buildbot/ports-slave though, so I think svn will be looking there for its config. Accepting the cert permanently should create something under $HOME/.subversion/auth/.
comment:8 Changed 10 years ago by ryandesign (Ryan Carsten Schmidt)
Replying to jmr@…:
Building ports runs as root so it can add users.
Ah, of course.
Both builders are using
HOME=/buildbot/ports-slavethough, so I think svn will be looking there for its config. Accepting the cert permanently should create something under$HOME/.subversion/auth/.
And one should copy that something to /buildbot/ports-slave/.subversion/auth then, yeah?
comment:9 Changed 10 years ago by jmroot (Joshua Root)
The Mountain Lion slave updated OK when building ports, so apparently you did something right on that one: https://build.macports.org/builders/buildports-mtln-x86_64/builds/12750
comment:10 Changed 10 years ago by jmroot (Joshua Root)
Replying to jmr@…:
Both builders are using
HOME=/buildbot/ports-slavethough, so I think svn will be looking there for its config. Accepting the cert permanently should create something under$HOME/.subversion/auth/.
Sorry, I was actually wrong about this. The buildbase-* builders are using HOME=/buildbot/base-slave, while the buildports-* builders use HOME=/buildbot/ports-slave.
So the commands to run should actually be something like:
sudo -u buildbot env HOME=/buildbot/base-slave svn info https://svn.macports.org/repository/macports/ sudo env HOME=/buildbot/ports-slave svn info https://svn.macports.org/repository/macports/
comment:11 Changed 10 years ago by jmroot (Joshua Root)
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
The failure is in the phase where the MPAB checkout is updated, so no, it’s not using certsync. Recall that the system svn on 10.7+ does not trust any certs (see e.g. #40383), so the cert needs to be manually trusted once.