github actions SSL error #184
Comments
|
@michelson Thanks for the report and sorry for the inconvenience. Having the locale data available is critical and unavoidable - its the source of data that drives the whole One way to possibly avoid this is if you check the locales into your repo (the default directory where locales will be located is It looks like this is an issue on Github's side and something I can't control. On the other hand I've never see this issue reported either so I'm unlikely to be able to resolve it on my side (I will however do some googling). |
|
One other thought, since its reporting an SSL handshake error (and I really have no domain expertise in this area), is to include either |
|
Alternatively you could try explicitly updating the OS level certificates. |
|
Hi! thanks for the quick reply, I've added the {:certifi, "
How can I check the locales in the repo? I've done the following but the locales are not checked out in the repo: |
|
We ran into the same issue and apparently updating the project to OTP 25 solved it and unblocked our CI pipeline. Is this something you can consider doing? |
|
https://elixirforum.com/t/github-ci-down-is-it-working-for-you/49661 maybe there's some issue/changes on github's side? |
|
Thank you all. Upgrade to opt 25 did solve the issue. Super weird, though. |
|
Thanks for the update @michelson; I'll add some notes to the readme in case other people have this issue. |
|
We had to make this change to unclog the CI on Github. Hope this helps people. |
|
I'm experiencing this exact error when building using the official debian bullseye image for elrang 24.3.4; I'm looking for a workaround to avoid upgrading to OTP 25. From what I could gather the underlying issue could be something that the host OS is missing, some configuration that makes TLS fail. I tried from an ubuntu 20.04.3 box and had no issues. |
|
@WillRaben, I think if you add the I am working on an |
|
I have published ex_cldr version 2.33.1-rc.0 that changes HTTPS request handling slightly. In particular it applies the ERLF guidelines around cypher configuration. Based on the error message that may be the issue so any feedback would be welcome. Next step, if required, is to add an |
|
@kipcole9 By replacing With: override: true was needed because of a dependency in the package ex_cldr_territories that has {:ex_cldr, "~> 2.0"} in its mix.exs. Only outliers in the compilation (most likely because of overriding the child dependency) are two instances of warnings due to deprecation:
Upon some more testing, seems like the issue might be related to fly.io and similar providers, would be nice to know the context of @michelson 's build. I replicated a docker build locally and had no issue with httpc hitting github from a container using the official erlang 24.3.4 docker image running on ubuntu 20.04.3. Haven't found any other side effects. Will definitely let you know if something else comes up. Massive thanks for the swift reply. |
|
Hi @WillRaben, the context of the build: OTP 24 and Elixir 13 |
|
@WillRaben, using a GitHub branch as a dependencies won't actually download anything since the locales are all in the repo. To test whether this is a solution your deps should look like: def deps do
[
ex_cldr: "~> 2.33.1-rc", override: true,
...
]
endThat will then certainly show if downloading is now working on the GitHub CI platform. |
|
The deprecations most like coming from You could try: |
Ah, I see, TIL. No wonder the build got noticeably bigger. I just ran the build without the github branch and unfortunately, the error returned and it failed to compile.
Regarding ex_cldr_territories, ours is: |
|
Thanks for the update. I will implement the environment variable later today my time as an escape hatch (may take up to 18 hours for me to get to this and publish).
…Sent from my iPhone
On 21 Aug 2022, at 08:38, Will Raben ***@***.***> wrote:
@WillRaben, using a GitHub branch as a dependencies won't actually download anything since the locales are all in the repo. To test whether this is a solution your deps should look like:
def deps do
[
ex_cldr: "~> 2.33.1-rc", override: true,
...
]
end
That will then certainly show if downloading is now working on the GitHub CI platform.
Ah, I see, TIL. No wonder the build got noticeably bigger.
I just ran the build without the github branch and unfortunately, the error returned and it failed to compile.
#46 167.9 22:27:10.879 [notice] TLS :client: In state :hello_middlebox_assert at ssl_gen_statem.erl:736 generated CLIENT ALERT: Fatal - Unexpected Message
#46 167.9 - {:unexpected_msg, {:internal, {:encrypted_extensions, %{sni: {:sni, []}}}}}
#46 168.0 22:27:10.971 [error] Failed to connect to 'raw.githubusercontent.com' to download 'https://raw.githubusercontent.com/elixir-cldr/cldr/v2.33.1-rc.0/priv/cldr/locales/fr.json'
Regarding ex_cldr_territories, ours is: {:ex_cldr_territories, "~> 2.2"} so that's probably why it's still using deprecated calls, current version is 2.4. I will update and keep an eye for any warnings.
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.
|
|
cldr_utils version 2.19.0 now supports the environment variable Enhancements
ConfigurationTo use this option, the following configuration should be used: def deps do
[
# Make sure that 2.33.1 is resolved
# `mix deps.update ex_cldr cldr_utils` will also work
{:ex_cldr, "~> 2.33"},
{:cldr_utils, "~> 2.19"},
...
]
endHopefully this will let you get past whatever the issue is in GitHub CI until we can get to the bottom of it. |
|
@kipcole9 Thanks for staying on top this. Ok, so I've tested the CLDR_UNSAFE_HTTP approach with our umbrella app, and I am very confused by the results: In the builder(Fly.io), I am getting this logged out from mix deps.compile: But then once one of the apps that requires ex_cldr starts compiling, it looks like it tries to hit github again without going through cldr_utils. The contents of lib/core/Cldr_helper.ex dependencies listed on the app that fails to compile: Builder has: For the moment, we just got the whole repo so the build on fly.io passed, but this created a problem with gigalixir where it fails with: Could this specific failure( not using cldr_utils) be due to additional configuration needed for umbrella applications? I wonder what, if anything, is missing from that debian bullseye buildpack that the official Erlang 24 image uses, that's making peer verification fail. |
|
Would you mind running I do want to find the root cause, but first priority is to get you back running smoothly. |
|
I've temporarily added Here's the output from Looks like it's picked up correctly 2.33.1 |
|
Nothing is downloaded until your I is possible to statically include the locales in your repo so you don't have to compile from GitHub, I'll update this issue with how to do that separately (after I verify the configuration, its not that common and I haven't used it in a while!) |
|
@voltone, please accept my apologies for invoking your name but I'm struggling to even find a direction to investigate with this issue. The issue seems to be related to Ubuntu, Github Actions and some versions (not OTP 25) of the During compilation, locale data files are downloaded from GitHub itself and used to generate a lot of functions. This is the error: Error: 05:33:08.872 [error] Failed to connect to 'raw.githubusercontent.com' to download locale :pt. Reason: {:tls_alert, {:unexpected_message, 'TLS client: In state hello_middlebox_assert at ssl_gen_statem.erl:736 generated CLIENT ALERT: Fatal - Unexpected Message\n {unexpected_msg,{internal,{encrypted_extensions,\#{sni => {sni,[]}}}}}'}}If you have any guidance about understanding what this message is suggesting and where I can dig further I'd be hugely grateful.
|
Providing the actual locale files so it doesn't download seemed like the sane thing to do to me too, specially in the face of updating to OTP 25 being an easy fix (at least in our case, because we are on OTP 24.3.4, we just need to run some more tests). I just couldn't figure out what the proper folder needed to be. I tried To expand on the context of our instance of the error:
Thanks for all the help everybody, much appreciated. |
|
@WillRaben the following configuration stores the locales in a user-defined place. I would recommend you set that place to a directory that all dependent apps and all umbrella apps can point to and make sure that directory is committed as part of the repo. defmodule DemoCldrLocalesDir do
@locales_dir Path.expand(System.get_env("CLDR_LOCALES_DIR") || raise(ArgumentError, "No CLDR_LOCALES_DIR is set"))
use Cldr,
locales: ["en", "de", "fr"],
default_locale: "en",
data_dir: @locales_dir |> IO.inspect(label: "Downloaded locales are stored in"),
providers: []
end |
This may be related to erlang/otp#6037, in which case it should also have been fixed in 24.3.4.1. Alternatively, this particular scenario appears to relate to a TLS 1.3 handshake. You can limit the handshake to 1.2 by adding Hope that helps. |
|
Super helpful @voltone, thank you very much indeed. |
|
@WillRaben I have pushed this commit to restrict the TLS version to 1.2 on OTP releases < 25. Fingers crossed. Its a small library so perhaps you can try this from GitHub: def deps do
[
{:cldr_utils, github: "elixir-cldr/cldr_utils", override: true},
...
]
endLet me know if that moves us forward? |
I am happy to report that this allowed the build to complete successfully. Reduced about 280mb from the resulting image. Thanks! Would be great to hear for the github actions end of this issue, looks like it would fix things there too. As a side note, I tried the approach you suggested with the additional configuration and having the previously downloaded locales placed in /app/locales folder and it still tried to download from github. |
|
Great to hear @WillRaben, I've published cldr_utils version 2.19.1 with this fix so you are good to revert to using Hex. Closing now although I am confused as to why the configuration approach didn't work. |
|
Not sure why the configuration approach failed either. It was pretty straight forward. I changed It did pick the new config up when compiling though, because I saw the IO.inspect message reporting the folder. When I was about to dig deeper into why it wasn't working, you posted the cldr_utils hotfix that limited tls to 1.2 so I dropped the config approach. It has been working flawlessly. Thanks for all the help. |
Several users have reported issues downloading sources from GitHub with a TLS 1.3 handshake. See elixir-cldr/cldr#184 (comment)
Several users have reported issues downloading sources from GitHub with a TLS 1.3 handshake. See elixir-cldr/cldr#184 (comment)
|
I think I have a workaround. I'm in elixir 1.13 (Erlang/OTP 24) and I need ex_cldr 2.25.0. After reading this, I changed the dependency in - {:ex_cldr, "~> 2.0"},
+ {:ex_cldr, git: "https://github.com/elixir-cldr/cldr.git", tag: "v2.25.0", override: true},`So the system - git command on alpine - contacts github and not Erlang. It make my application compile. I haven't done a full non-regression test campaign yet. |
|
Since installing from GitHub will download the whole repo (which is not a small one!), including all the locales, it will work because it won't ever try to download locales from GitHub. So definitely ok as a working solution as long as you recognise the payload from GitHub is substantial! |
|
I'd also be very interested to know what requires that you use |
True ! 275MB and 3 minutes to git clone. So I made an other workaround : download the tar from github, untar and remove locales I don't need. Then the dependency become : Saved me 2:59 minutes and 250MB :-) |
Well, it seems that at some point (after 2.25 and before 2.33), the type of a locale has changed from string to atom. This is quite impactful on my code. I'll change that in a later version of my app so I can use up to date libraries. |
Apologies for making extra work for you. That was the "last" step in normalising the fields of the I didn't expect that user code would typically access the internal fields of the Please feel free to open a separate issue so we can discuss in more detail. |
|
That's very nice of you but you don't owe me any apology. Managnin dependencies is part of the job. I'm maintaing a former branch of an application for which the main branch has already the code to handle the change of type. I'm good with the fix I found. If you want more details : commit 951508d (25/01/22 05:50:37 +0800), between 2.25 and 2.26 introduced the change that breaks our code. in lib/cldr/config/config.ex#L980
- def known_number_systems_like(locale_name, number_system, config) do
+ def known_number_systems_like(locale_name, number_system, config) when is_atom(locale_name) doThe patch we made to fix it is there, (Mar 21, 2022 5:50pm GMT+0100). Cheers |
Hello there, I'm using a
cldrlibrary (ex_cldr_dates_times) which downloads some data fromraw.githubusercontent,this works on development but when I run this on Github actions I get an SSL error:here is the build with the error: https://github.com/rauversion/rauversion-phx/runs/7912634783?check_suite_focus=true
is there a way to bypass this installation?
The text was updated successfully, but these errors were encountered: