Many automated builds/tests are broken with a libgit2 ECERTIFICATE error #13399
Comments
simonster
added
bug
|
We could disable certificate check, at least for METADATA packages. For |
|
Wouldn't that largely defeat the purpose of using https in the first place? It looks like we need to configure libgit2 and openssl in the nightly binaries to bundle its own working certs. |
|
If we bundle ca certs somewhere does that fix the problem? |
|
I would hope so, but not sure the best way to test that. It looks like we don't run the tests on the centos 5 binary builders right now, would first want to check if they pass the libgit2 and pkg tests locally. Then figure out how to make them self contained and work when moved to different clean machines. |
|
I also get this error when trying to install packages with nightly. julia> Pkg.add("Gadfly")
INFO: Initializing package repository ~/.julia/v0.5
INFO: Cloning METADATA from https://github.com/JuliaLang/METADATA.jl
ERROR: GitError(Code:ECERTIFICATE, Class:SSL, The SSL certificate is invalid)
[inlined code] from libgit2/error.jl:96
in clone at libgit2/repository.jl:95
in clone at libgit2.jl:303
in anonymous at pkg/dir.jl:57
in cd at file.jl:22
in init at pkg/dir.jl:55
in cd at pkg/dir.jl:28
in add at pkg.jl:27 |
|
We could require along with |
|
@wildart this is about tarball binaries. We want to avoid requiring manual installation of any packages for those. We should try including the certificates in the binary, if that can be made to work. @staticfloat little help finding out if the centos5 builders are passing the https tests locally? |
|
Looks like they pass; |
|
Great, thanks. Now where do the certs live and how do we make the tarball build see them? (Also what is the license on them?) |
|
MPL 2.0 from Mozilla, however they need to be converted to proper format. |
|
I don't think the answer here is to bundle our own On Centos5, the SSL master ca bundle is stored in On Ubuntu, on the other hand, the directory holding this kind of stuff is |
|
Is this baked into openssl, or could a build flag on libgit2 make it search more places? Do arch and opensuse and whatever other distros all use different paths for this? Is it lib64 in some cases? |
|
It's a little bit of a mess: http://gagravarr.org/writing/openssl-certs/others.shtml#ca-openssl |
|
There is a |
|
That looks good; if someone can give me an example of how I would set that option (like in this example) I can test it out and figure out what works on Ubuntu. Note that we would want to set the |
cert_file = "/cert/file/location/cacert.pem"
GIT_OPT_SET_SSL_CERT_LOCATIONS = 12
err = ccall((:git_libgit2_opts, :libgit2), Cint,
(Cint, Cstring, Ptr{Void}),
GIT_OPT_SET_SSL_CERT_LOCATIONS, cert_file, C_NULL)
err == 0 && LibGit2.clone("https://github.com/JuliaLang/Example.jl.git", "/tmp/Example")
# LibGit2.Error.last_error() # check error |
cert_path = "/usr/lib/ssl/certs"
GIT_OPT_SET_SSL_CERT_LOCATIONS = 12
err = ccall((:git_libgit2_opts, :libgit2), Cint,
(Cint, Ptr{Void}, Cstring),
GIT_OPT_SET_SSL_CERT_LOCATIONS, C_NULL, cert_path)
LibGit2.clone("https://github.com/JuliaLang/Example.jl.git", "/tmp/Example")On Ubuntu, works! In short, you're a scholar and a gentleman. |
|
Great. Little convoluted to have to hard-code these and run through them at LibGit2 module init time, but sounds worth trying. We should probably spin up a set of docker containers of different distros that we know people use Julia on and check that our list covers them all. |
|
What do you think of querying |
|
How likely are common base distros to have working certs present, but not command-line openssl? And depending how long shelling out or querying the presence of a bunch of files takes, maybe we do this on the first invocation of a Pkg command that needs it, rather than on every Julia startup? |
|
I am not sure that certificates will be present, in fresh OS installation, unless you install them explicitly. |
|
Why don't set certificate location through ENV flag and check it on Julia start up? |
Not very likely, I don't think. I have yet to login to a *nix computer that doesn't have
SSL certificate authority files are pretty fundamental to using the internet; unless you are talking about a computer that is not intended to use the internet, (in which case this issue is somewhat moot) they will have certificate files. They may be outdated or restricted but they will have them. |
|
|
Anyone willing to get Julia running on MIPS is welcome to deal with that themselves. |
|
This issue is breaking the Travis build of one of our Julia packages, too (only on the Linux build job, not OS X). Is there a workaround? |
|
@staticfloat I've just pulled master (which seemed to pull in a lot of libgit2 stuff) and rebuilt, and I'm seeing the following: Is there something I'm doing wrong -- perhaps some missing env var or dependency? Edit: I'm seeing the above issue on both Ubuntu 14.04.3 LTS, and CentOS release 6.6. |
|
I've never seen that particular error before. What system are you running on? |
|
@staticfloat Oops, just edited my comment. This is on both Ubuntu and CentOS. |
|
I just tried it out on Ubuntu 14.04 and I had no problem. Do you have |
|
SSL_shutdown error happens when there is no connection. The message is misleading because there is a bug in handling SSL connection in libgit2. It is already fixed in upstream, #3445. |
|
@staticfloat @wildart I do have the necessary libraries on both platforms. (On CentOS the package is called I tried blowing away my I'm a bit mystified, but I'll see if |
|
@staticfloat Same problem persists after a |
|
@lkuper Can you try a libgit2 |
|
@wildart Thank you for trying to help. Yes, libgit2 builds and installs for me with no problems, following the directions at https://github.com/libgit2/libgit2#building-libgit2---using-cmake . |
|
Whelp, I have this problem now, what do? Cert locationLots of certs in the mozilla directory. |
|
Source build or nightly binary? |
|
nightly binary |
|
Ok looks like the default location fix in #13429 only works when binaries are built from a centos-like system (which we do for x86 and amd64), not an ubuntu-like system (which we do for arm). I don't think we have full control over the arm buildbot, though @ViralBShah and/or @staticfloat may know more of the details. As a workaround you may be able to try setting |
|
Sure I can try that Does this need to be called once per cert or something? |
|
I tried both that function and the above for including an entire directory. Still no luck Followed by: Maybe they're actually invalid? This linux distro is older (2013) but maybe they have updated their certs? Is there a way to tell? |
|
Which distro? Some have separate ca-certificates vs ca-certificates-mozilla packages but I'm not sure how they differ. Might be worth a new issue, closed issues aren't the best place for active debugging. |
|
That's true, but I wasn't sure this was worth a new issue or if this had not already been dealt with or just "closed for now." or what. This distro is Yocto Linux, poky release. This did work: (I guess you just have to arbitrarily know which is the right file): success |
to use to point libgit2 to specific bundle of trusted CA certificates. Relates to: JuliaLang#13399, JuliaLang#15128
|
On Windows this https://stackoverflow.com/questions/48950748/julia-git-error helped me on Windows 7. Summary:
|
|
I have run the easy fix but the same error keeps coming back even if I re run julia. I am using a 64 bit machine, Windows 7 OS & running Julia 0.6.3. Julia.exe is also in the path. |
|
I have met the same problem and I run the easy fix , while it would not work |
The errors are along the lines of:
@staticfloat first pointed this out on a buildbot, but it's also happening on Travis:
https://travis-ci.org/JuliaStats/NullableArrays.jl/jobs/83049793
https://travis-ci.org/JuliaLang/JLD.jl/jobs/83031348
https://travis-ci.org/JuliaStats/PDMats.jl/jobs/83032826
The text was updated successfully, but these errors were encountered: