https://distfiles.macports.org requires SNI, but OS X <= 10.8 do not seem to support that

[yan12125 (Chih-Hsuan Yen)]

​https://distfiles.macports.org requires SNI: ​https://www.ssllabs.com/ssltest/analyze.html?d=distfiles.macports.org&hideResults=on

I believe that's the cause of fetch errors on OS X <= 10.8. Some failure logs:

​https://build.macports.org/builders/ports-10.6_x86_64_legacy-builder/builds/106666/steps/install-port/logs/stdio

​https://build.macports.org/builders/ports-10.7_x86_64_legacy-builder/builds/106086/steps/install-port/logs/stdio

​https://build.macports.org/builders/ports-10.8_x86_64_legacy-builder/builds/98070/steps/install-port/logs/stdio

All of them fail with:

--->  Attempting to fetch Python-3.8.0b2.tar.xz from https://distfiles.macports.org/python38-devel

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:--  0:00:01 --:--:--     0DEBUG: Fetching distfile failed: SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

(Fetching from ​https://www.python.org/ also fails as the latter requires TLS 1.2)

Alternatively, fetching distfiles via HTTP should fix the issue, too.

[neverpanic (Clemens Lang)]

Since distfiles.macports.org is a CDN, there's probably no way to avoid the requirement for SNI.

Take a look at ​https://github.com/macports/macports-ports/blob/master/_resources/port1.0/fetch/mirror_sites.tcl#L503-L507, which decides whether to use TLS or not. Maybe the configuration of our CDN changed recently so that it now requires a higher version of TLS than before.

However, I'm not sure whether the issue is actually SNI – did you check that? I could also imagine that the root CAs shipped with the respective versions of the OSes have just expired in the meanwhile.

[yan12125 (Chih-Hsuan Yen)]

did you check that?

Nope - I don't have enough disk space to maintain old OS X VMs. SNI is just the first term that came to my head when I saw that error message.

Since distfiles.macports.org is a CDN, there's probably no way to avoid the requirement for SNI.

Maybe the configuration of our CDN changed recently so that it now requires a higher version of TLS than before.

I could also imagine that the root CAs shipped with the respective versions of the OSes have just expired in the meanwhile.

Either case is beyond the control. Maybe the only way to go is using HTTP.

Take a look at ​​https://github.com/macports/macports-ports/blob/master/_resources/port1.0/fetch/mirror_sites.tcl#L503-L507, which decides whether to use TLS or not.

Thank you for the pointer! Opened ​https://github.com/macports/macports-ports/pull/4772 to workaround that.

[yan12125 (Chih-Hsuan Yen)]

In 960507d7b9b9aa836314fea86f61b67f62bdbf25/macports-ports (master):

mirror_sites.tcl: Fetch distfiles via HTTP on 10.8 or older

For some reason(s), ​https://distfiles.macports.org no longer works
on Mac OS X <= 10.8.

Closes: #58688

[ryandesign (Ryan Carsten Schmidt)]

Please revert.

The private DNS server on the network that the buildbot machines reside on remaps distfiles.macports.org and packages.macports.org to a local server. I forgot to renew the certificates on that server, and they have expired. I just need to renew those certificates to get things working again.

[ryandesign (Ryan Carsten Schmidt)]

Replying to ryandesign:

I just need to renew those certificates to get things working again.

I have renewed the certificates.

Have the builds that failed already been rescheduled?

[yan12125 (Chih-Hsuan Yen)]

In 6c911e2be7dc68471b7874c1a6892ac256e8b2a6/macports-ports (master):

Revert "mirror_sites.tcl: Fetch distfiles via HTTP on 10.8 or older"

This reverts commit 960507d7b9b9aa836314fea86f61b67f62bdbf25.

See #58688#comment:4. The actual cause
is that certificates for internal servers are expired, which is now
fixed.

Closes: #58688

[yan12125 (Chih-Hsuan Yen)]

Replying to ryandesign:

Replying to ryandesign:

I just need to renew those certificates to get things working again.

I have renewed the certificates.

Thank you for the efforts! I've reverted the previous commit.

Have the builds that failed already been rescheduled?

I guess not. I'm not even sure how many builds are affected.

[ryandesign (Ryan Carsten Schmidt)]

Ok. I'll make a list of ports that were modified between the time the certificate expired and the time of your first commit, and I'll reschedule those builds on the 10.6-10.8 builders.

[ryandesign (Ryan Carsten Schmidt)]

Well, I didn't do this. I guess I won't get to it anymore.