[MacPorts] #42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org
#42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org ----------------------------+------------------------- Reporter: ryandesign@… | Owner: wsiegrist@… Type: defect | Status: new Priority: Normal | Milestone: Component: server/hosting | Version: 2.2.1 Keywords: | Port: ----------------------------+------------------------- The Lion, Mountain Lion and Mavericks buildslaves are failing all builds with: {{{ svn: OPTIONS of 'https://svn.macports.org/repository/macports/contrib/mpab': Server certificate verification failed: issuer is not trusted (https://svn.macports.org) }}} The Snow Leopard buildslave is still working ok. Are the three failing buildslaves using certsync? If so, see #42718. -- Ticket URL: <https://trac.macports.org/ticket/42727> MacPorts <http://www.macports.org/> Ports system for OS X
#42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org -----------------------------+------------------------- Reporter: ryandesign@… | Owner: wsiegrist@… Type: defect | Status: new Priority: Normal | Milestone: Component: server/hosting | Version: Resolution: | Keywords: Port: | -----------------------------+------------------------- Changes (by ryandesign@…): * version: 2.2.1 => -- Ticket URL: <https://trac.macports.org/ticket/42727#comment:1> MacPorts <http://www.macports.org/> Ports system for OS X
#42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org -----------------------------+------------------------- Reporter: ryandesign@… | Owner: wsiegrist@… Type: defect | Status: new Priority: Normal | Milestone: Component: server/hosting | Version: Resolution: | Keywords: Port: | -----------------------------+------------------------- Changes (by jmr@…): * cc: skarulkar@… (added) Comment: The failure is in the phase where the MPAB checkout is updated, so no, it’s not using certsync. Recall that the system svn on 10.7+ does not trust any certs (see e.g. #40383), so the cert needs to be manually trusted once. -- Ticket URL: <https://trac.macports.org/ticket/42727#comment:2> MacPorts <http://www.macports.org/> Ports system for OS X
#42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org -----------------------------+------------------------- Reporter: ryandesign@… | Owner: wsiegrist@… Type: defect | Status: new Priority: Normal | Milestone: Component: server/hosting | Version: Resolution: | Keywords: Port: | -----------------------------+------------------------- Comment (by ryandesign@…): Could a server administrator perform this step on the three affected buildslaves, please? -- Ticket URL: <https://trac.macports.org/ticket/42727#comment:3> MacPorts <http://www.macports.org/> Ports system for OS X
#42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org -----------------------------+------------------------- Reporter: ryandesign@… | Owner: wsiegrist@… Type: defect | Status: new Priority: Normal | Milestone: Component: server/hosting | Version: Resolution: | Keywords: Port: | -----------------------------+------------------------- Comment (by ryandesign@…): I believe you just need to run any svn command on the MacPorts repository URL, i.e.: {{{ /usr/bin/svn info https://svn.macports.org/repository/macports }}} This will prompt you whether you want to accept the certificate: {{{ Error validating server certificate for 'https://svn.macports.org:443': - The certificate is not issued by a trusted authority. Use the fingerprint to validate the certificate manually! Certificate information: - Hostname: *.macports.org - Valid: from Mon, 03 Mar 2014 20:37:03 GMT until Mon, 02 Mar 2015 01:19:52 GMT - Issuer: GlobalSign nv-sa, BE - Fingerprint: e6:bd:44:a5:29:e4:ef:ef:47:92:f1:6d:80:e6:48:98:30:30:dc:0b (R)eject, accept (t)emporarily or accept (p)ermanently? }}} Answer "p" to accept it permanently, and that should be it. However, I'm not sure which user this task needs to be performed as. According to the [https://build.macports.org/builders/buildbase-lion- x86_64/builds/867/steps/svn/logs/stdio buildbot log], the user trying to run the svn command is "buildbot", so maybe that's the user who needs to have the cert accepted: {{{ sudo -u buildbot /usr/bin/svn info https://svn.macports.org/repository/macports }}} -- Ticket URL: <https://trac.macports.org/ticket/42727#comment:5> MacPorts <http://www.macports.org/> Ports system for OS X
#42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org -----------------------------+------------------------- Reporter: ryandesign@… | Owner: wsiegrist@… Type: defect | Status: new Priority: Normal | Milestone: Component: server/hosting | Version: Resolution: | Keywords: Port: | -----------------------------+------------------------- Comment (by ryandesign@…): Shree responded by email:
Thanks Ryan. I ran the command on the three slaves and “accepted” the cert permanently. However, I saw some strange behavior. Not sure if this would be an issue though.
On "teneight-slave” and "tennine-slave"s the svn info runs fine when used with a “sudo”, however without sudo (user=local) it keeps prompting to take action with the new certificates, (reject, accept etc) every time you run the svn info command. Let me know what you think.
This hasn't helped yet; the buildslaves are still failing. The previous log I referenced was for buildbase. I've just committed a port, which failed with the same message, but the [https://build.macports.org/builders/buildports-lion- x86_64/builds/18861/steps/svn/logs/stdio log from buildports] doesn't show a user, so I don't know what user it's running as. -- Ticket URL: <https://trac.macports.org/ticket/42727#comment:6> MacPorts <http://www.macports.org/> Ports system for OS X
#42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org -----------------------------+------------------------- Reporter: ryandesign@… | Owner: wsiegrist@… Type: defect | Status: new Priority: Normal | Milestone: Component: server/hosting | Version: Resolution: | Keywords: Port: | -----------------------------+------------------------- Comment (by jmr@…): Replying to [comment:6 ryandesign@…]:
I've just committed a port, which failed with the same message, but the [https://build.macports.org/builders/buildports-lion- x86_64/builds/18861/steps/svn/logs/stdio log from buildports] doesn't show a user, so I don't know what user it's running as.
Building ports runs as root so it can add users. Both builders are using `HOME=/buildbot/ports-slave` though, so I think svn will be looking there for its config. Accepting the cert permanently should create something under `$HOME/.subversion/auth/`. -- Ticket URL: <https://trac.macports.org/ticket/42727#comment:7> MacPorts <http://www.macports.org/> Ports system for OS X
#42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org -----------------------------+------------------------- Reporter: ryandesign@… | Owner: wsiegrist@… Type: defect | Status: new Priority: Normal | Milestone: Component: server/hosting | Version: Resolution: | Keywords: Port: | -----------------------------+------------------------- Comment (by ryandesign@…): Replying to [comment:7 jmr@…]:
Building ports runs as root so it can add users.
Ah, of course.
Both builders are using `HOME=/buildbot/ports-slave` though, so I think svn will be looking there for its config. Accepting the cert permanently should create something under `$HOME/.subversion/auth/`.
And one should copy that something to /buildbot/ports- slave/.subversion/auth then, yeah? -- Ticket URL: <https://trac.macports.org/ticket/42727#comment:8> MacPorts <http://www.macports.org/> Ports system for OS X
#42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org -----------------------------+------------------------- Reporter: ryandesign@… | Owner: wsiegrist@… Type: defect | Status: new Priority: Normal | Milestone: Component: server/hosting | Version: Resolution: | Keywords: Port: | -----------------------------+------------------------- Comment (by jmr@…): The Mountain Lion slave updated OK when building ports, so apparently you did something right on that one: https://build.macports.org/builders /buildports-mtln-x86_64/builds/12750 -- Ticket URL: <https://trac.macports.org/ticket/42727#comment:9> MacPorts <http://www.macports.org/> Ports system for OS X
#42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org -----------------------------+------------------------- Reporter: ryandesign@… | Owner: wsiegrist@… Type: defect | Status: new Priority: Normal | Milestone: Component: server/hosting | Version: Resolution: | Keywords: Port: | -----------------------------+------------------------- Comment (by jmr@…): Replying to [comment:7 jmr@…]:
Both builders are using `HOME=/buildbot/ports-slave` though, so I think svn will be looking there for its config. Accepting the cert permanently should create something under `$HOME/.subversion/auth/`. Sorry, I was actually wrong about this. The buildbase-* builders are using `HOME=/buildbot/base-slave`, while the buildports-* builders use `HOME=/buildbot/ports-slave`.
So the commands to run should actually be something like: {{{ sudo -u buildbot env HOME=/buildbot/base-slave svn info https://svn.macports.org/repository/macports/ sudo env HOME=/buildbot/ports-slave svn info https://svn.macports.org/repository/macports/ }}} -- Ticket URL: <https://trac.macports.org/ticket/42727#comment:10> MacPorts <http://www.macports.org/> Ports system for OS X
#42727: Server certificate verification failed: issuer is not trusted (https://svn.macports.org -----------------------------+------------------------- Reporter: ryandesign@… | Owner: wsiegrist@… Type: defect | Status: closed Priority: Normal | Milestone: Component: server/hosting | Version: Resolution: fixed | Keywords: Port: | -----------------------------+------------------------- Changes (by jmr@…): * status: new => closed * resolution: => fixed -- Ticket URL: <https://trac.macports.org/ticket/42727#comment:11> MacPorts <http://www.macports.org/> Ports system for OS X
participants (1)
-
MacPorts