Opened 7 years ago

Closed 7 years ago

#42727 closed defect (fixed)

Server certificate verification failed: issuer is not trusted (https://svn.macports.org

Reported by: ryandesign (Ryan Schmidt) Owned by: wsiegrist@…
Priority: Normal Milestone:
Component: server/hosting Version:
Keywords: Cc: skarulkar@…, cooljeanius (Eric Gallager)
Port:

Description

The Lion, Mountain Lion and Mavericks buildslaves are failing all builds with:

svn: OPTIONS of 'https://svn.macports.org/repository/macports/contrib/mpab': Server certificate verification failed: issuer is not trusted (https://svn.macports.org)

The Snow Leopard buildslave is still working ok.

Are the three failing buildslaves using certsync? If so, see #42718.

Change History (11)

comment:1 Changed 7 years ago by ryandesign (Ryan Schmidt)

Version: 2.2.1

comment:2 Changed 7 years ago by jmroot (Joshua Root)

Cc: skarulkar@… added

The failure is in the phase where the MPAB checkout is updated, so no, it’s not using certsync. Recall that the system svn on 10.7+ does not trust any certs (see e.g. #40383), so the cert needs to be manually trusted once.

comment:3 Changed 7 years ago by ryandesign (Ryan Schmidt)

Could a server administrator perform this step on the three affected buildslaves, please?

comment:4 Changed 7 years ago by cooljeanius (Eric Gallager)

Cc: egall@… added

Cc Me!

comment:5 Changed 7 years ago by ryandesign (Ryan Schmidt)

I believe you just need to run any svn command on the MacPorts repository URL, i.e.:

/usr/bin/svn info https://svn.macports.org/repository/macports

This will prompt you whether you want to accept the certificate:

Error validating server certificate for 'https://svn.macports.org:443':
 - The certificate is not issued by a trusted authority. Use the
   fingerprint to validate the certificate manually!
Certificate information:
 - Hostname: *.macports.org
 - Valid: from Mon, 03 Mar 2014 20:37:03 GMT until Mon, 02 Mar 2015 01:19:52 GMT
 - Issuer: GlobalSign nv-sa, BE
 - Fingerprint: e6:bd:44:a5:29:e4:ef:ef:47:92:f1:6d:80:e6:48:98:30:30:dc:0b
(R)eject, accept (t)emporarily or accept (p)ermanently?

Answer "p" to accept it permanently, and that should be it.

However, I'm not sure which user this task needs to be performed as. According to the buildbot log, the user trying to run the svn command is "buildbot", so maybe that's the user who needs to have the cert accepted:

sudo -u buildbot /usr/bin/svn info https://svn.macports.org/repository/macports

comment:6 Changed 7 years ago by ryandesign (Ryan Schmidt)

Shree responded by email:

Thanks Ryan. I ran the command on the three slaves and “accepted” the cert permanently. However, I saw some strange behavior. Not sure if this would be an issue though.

On "teneight-slave” and "tennine-slave"s the svn info runs fine when used with a “sudo”, however without sudo (user=local) it keeps prompting to take action with the new certificates, (reject, accept etc) every time you run the svn info command. Let me know what you think.

This hasn't helped yet; the buildslaves are still failing.

The previous log I referenced was for buildbase. I've just committed a port, which failed with the same message, but the log from buildports doesn't show a user, so I don't know what user it's running as.

comment:7 in reply to:  6 ; Changed 7 years ago by jmroot (Joshua Root)

Replying to ryandesign@…:

I've just committed a port, which failed with the same message, but the log from buildports doesn't show a user, so I don't know what user it's running as.

Building ports runs as root so it can add users.

Both builders are using HOME=/buildbot/ports-slave though, so I think svn will be looking there for its config. Accepting the cert permanently should create something under $HOME/.subversion/auth/.

comment:8 in reply to:  7 Changed 7 years ago by ryandesign (Ryan Schmidt)

Replying to jmr@…:

Building ports runs as root so it can add users.

Ah, of course.

Both builders are using HOME=/buildbot/ports-slave though, so I think svn will be looking there for its config. Accepting the cert permanently should create something under $HOME/.subversion/auth/.

And one should copy that something to /buildbot/ports-slave/.subversion/auth then, yeah?

comment:9 Changed 7 years ago by jmroot (Joshua Root)

The Mountain Lion slave updated OK when building ports, so apparently you did something right on that one: https://build.macports.org/builders/buildports-mtln-x86_64/builds/12750

comment:10 in reply to:  7 Changed 7 years ago by jmroot (Joshua Root)

Replying to jmr@…:

Both builders are using HOME=/buildbot/ports-slave though, so I think svn will be looking there for its config. Accepting the cert permanently should create something under $HOME/.subversion/auth/.

Sorry, I was actually wrong about this. The buildbase-* builders are using HOME=/buildbot/base-slave, while the buildports-* builders use HOME=/buildbot/ports-slave.

So the commands to run should actually be something like:

sudo -u buildbot env HOME=/buildbot/base-slave svn info https://svn.macports.org/repository/macports/
sudo env HOME=/buildbot/ports-slave svn info https://svn.macports.org/repository/macports/

comment:11 Changed 7 years ago by jmroot (Joshua Root)

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.