public inbox for [email protected]  
help / color / mirror / Atom feed
Animals with old SSL may find no build required
3+ messages / 2 participants
[nested] [flat]

* Animals with old SSL may find no build required
@ 2021-10-02 07:00 Noah Misch <[email protected]>
  2021-10-02 14:45 ` Re: Animals with old SSL may find no build required Tom Lane <[email protected]>
  0 siblings, 1 reply; 3+ messages in thread

From: Noah Misch @ 2021-10-02 07:00 UTC (permalink / raw)
  To: [email protected]

If any of your buildfarm members don't get regular system updates, I recommend
checking your SSL setup with "git clone https://git.postgresql.org"; and fixing
as appropriate.

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ now
affects verification of the https://git.postgresql.org server certificate.
The part about "if clients of your API are using OpenSSL, they must use
version 1.1.0 or later" applies to the git https client.  Some git builds use
GnuTLS instead of OpenSSL.  For Debian 8 git (GnuTLS 3.3.8), it sufficed to
copy ca-bundle.crt from RHEL7 and set GIT_SSL_CAINFO.  Debian 7 git uses
GnuTLS 2.12.20-8+deb7u5, which can't even cope with the structure of the new
certificates.  Hence, I used GIT_SSL_NO_VERIFY for frogfish.  This probably
would have affected https://buildfarm.postgresql.org/cgi-bin/pgstatus.pl
access, too, but I had reverted that one to http:// some time ago.

build-farm.conf.sample defaults to git_ignore_mirror_failure=>1.  With that
setting, if a buildfarm member SSL setup breaks, the member will appear to be
functioning, but it will find no changes to test:

Sat Oct  2 04:35:22 2021: buildfarm run for frogfish:REL9_6_STABLE starting
git version 1.7.10.4 too old for automatic default branch update
frogfish:REL9_6_STABLE [04:35:23] checking out source ...
frogfish:REL9_6_STABLE [04:35:58] checking if build run needed ...
frogfish:REL9_6_STABLE [04:35:58] No build required: last status = Fri Sep 24 23:15:14 2021 GMT, current snapshot = Sat Sep 25 14:53:55 2021 GMT, changed files = 0





^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: Animals with old SSL may find no build required
  2021-10-02 07:00 Animals with old SSL may find no build required Noah Misch <[email protected]>
@ 2021-10-02 14:45 ` Tom Lane <[email protected]>
  2021-10-02 16:19   ` Re: Animals with old SSL may find no build required Noah Misch <[email protected]>
  0 siblings, 1 reply; 3+ messages in thread

From: Tom Lane @ 2021-10-02 14:45 UTC (permalink / raw)
  To: Noah Misch <[email protected]>; +Cc: [email protected]

Noah Misch <[email protected]> writes:
> build-farm.conf.sample defaults to git_ignore_mirror_failure=>1.  With that
> setting, if a buildfarm member SSL setup breaks, the member will appear to be
> functioning, but it will find no changes to test:

> Sat Oct  2 04:35:22 2021: buildfarm run for frogfish:REL9_6_STABLE starting
> git version 1.7.10.4 too old for automatic default branch update
> frogfish:REL9_6_STABLE [04:35:23] checking out source ...
> frogfish:REL9_6_STABLE [04:35:58] checking if build run needed ...
> frogfish:REL9_6_STABLE [04:35:58] No build required: last status = Fri Sep 24 23:15:14 2021 GMT, current snapshot = Sat Sep 25 14:53:55 2021 GMT, changed files = 0

FWIW, if you are using run_branches.pl, the failure will happen earlier.
What I am getting on prairiedog is

error getting branches of interest: 500 Can't connect to buildfarm.postgresql.org:443 (certificate verify failed) at ./run_branches.pl line 201.

I worked around it for the moment by s/https/http/g in the config file,
but I'm hoping to find where the obsolete trust store is and update it.
(I thought updating perl's Mozilla::CA would do the trick, but nope.)

			regards, tom lane





^ permalink  raw  reply  [nested|flat] 3+ messages in thread

* Re: Animals with old SSL may find no build required
  2021-10-02 07:00 Animals with old SSL may find no build required Noah Misch <[email protected]>
  2021-10-02 14:45 ` Re: Animals with old SSL may find no build required Tom Lane <[email protected]>
@ 2021-10-02 16:19   ` Noah Misch <[email protected]>
  0 siblings, 0 replies; 3+ messages in thread

From: Noah Misch @ 2021-10-02 16:19 UTC (permalink / raw)
  To: Tom Lane <[email protected]>; +Cc: [email protected]

On Sat, Oct 02, 2021 at 10:45:48AM -0400, Tom Lane wrote:
> Noah Misch <[email protected]> writes:
> > build-farm.conf.sample defaults to git_ignore_mirror_failure=>1.  With that
> > setting, if a buildfarm member SSL setup breaks, the member will appear to be
> > functioning, but it will find no changes to test:
> 
> > Sat Oct  2 04:35:22 2021: buildfarm run for frogfish:REL9_6_STABLE starting
> > git version 1.7.10.4 too old for automatic default branch update
> > frogfish:REL9_6_STABLE [04:35:23] checking out source ...
> > frogfish:REL9_6_STABLE [04:35:58] checking if build run needed ...
> > frogfish:REL9_6_STABLE [04:35:58] No build required: last status = Fri Sep 24 23:15:14 2021 GMT, current snapshot = Sat Sep 25 14:53:55 2021 GMT, changed files = 0
> 
> FWIW, if you are using run_branches.pl, the failure will happen earlier.
> What I am getting on prairiedog is
> 
> error getting branches of interest: 500 Can't connect to buildfarm.postgresql.org:443 (certificate verify failed) at ./run_branches.pl line 201.

That will indeed happen first if your config reaches pgstatus.pl via an
https:// URL (the default) and meanwhile Perl and git use the same SSL library
and certificate store.  frogfish does use run_branches.pl, but it doesn't meet
those other conditions.





^ permalink  raw  reply  [nested|flat] 3+ messages in thread


end of thread, other threads:[~2021-10-02 16:19 UTC | newest]

Thread overview: 3+ messages (download: mbox mbox.gz follow: Atom feed)
-- links below jump to the message on this page --
2021-10-02 07:00 Animals with old SSL may find no build required Noah Misch <[email protected]>
2021-10-02 14:45 ` Tom Lane <[email protected]>
2021-10-02 16:19   ` Noah Misch <[email protected]>

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox