Last modified: 2014-09-09 20:29:35 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T64432, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 62432 - tools: "git error: server certificate verification failed" for git.wikimedia.org on tools-login-eqiad
tools: "git error: server certificate verification failed" for git.wikimedia....
Status: RESOLVED WORKSFORME
Product: Wikimedia Labs
Classification: Unclassified
tools (Other open bugs)
unspecified
All All
: Unprioritized normal
: ---
Assigned To: Marc A. Pelletier
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-08 10:19 UTC by Krinkle
Modified: 2014-09-09 20:29 UTC (History)
4 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Krinkle 2014-03-08 10:19:09 UTC 
Fetching origin
error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.wikimedia.org/git/mediawiki/core.git/info/refs
fatal: HTTP request failed
error: Could not fetch origin
Comment 1 Tim Landscheidt 2014-03-08 15:03:59 UTC 
To reproduce:

| [tim@passepartout ~]$ for HOST in tools-{dev,login}-eqiad.wmflabs.org; do ssh "$HOST" 'git clone https://git.wikimedia.org/git/pywikibot/compat.git $(mktemp -d)'; done

| If you are having access problems, please see: https://wikitech.wikimedia.org/wiki/Access#Accessing_public_and_private_instances
| Cloning into '/tmp/tmp.sNGj8sMBod'...

| If you are having access problems, please see: https://wikitech.wikimedia.org/wiki/Access#Accessing_public_and_private_instances
| Cloning into '/tmp/tmp.e4O2n9lnBB'...
| error: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none while accessing https://git.wikimedia.org/git/pywikibot/compat.git/info/refs
| fatal: HTTP request failed
| [tim@passepartout ~]$

So tools-dev-eqiad works, tools-login-eqiad fails.  But the problem doesn't seem to lie with curl:

| [tim@passepartout ~]$ for HOST in tools-{dev,login}-eqiad.wmflabs.org; do ssh "$HOST" 'curl https://git.wikimedia.org/git/pywikibot/compat.git > /dev/null'; done

| If you are having access problems, please see: https://wikitech.wikimedia.org/wiki/Access#Accessing_public_and_private_instances
|   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
|                                  Dload  Upload   Total   Spent    Left  Speed
| 100  1389  100  1389    0     0  84243      0 --:--:-- --:--:-- --:--:--  113k

| If you are having access problems, please see: https://wikitech.wikimedia.org/wiki/Access#Accessing_public_and_private_instances
|   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
|                                  Dload  Upload   Total   Spent    Left  Speed
| 100  1389  100  1389    0     0  78147      0 --:--:-- --:--:-- --:--:-- 99214
| [tim@passepartout ~]$
Comment 2 Tim Landscheidt 2014-03-09 17:26:56 UTC 
Only difference beneath /etc/ssl is in /etc/ssl/certs/java/cacerts which shouldn't affect git clone:

| [tim@passepartout ~]$ for CMD in 'sudo find /etc/ssl -not -type d -print0 | xargs -0r sudo md5sum'; do diff -u <(ssh tools-login.eqiad.wmflabs "$CMD") <(ssh tools-dev.eqiad.wmflabs "$CMD"); done

| If you are having access problems, please see: https://wikitech.wikimedia.org/wiki/Access#Accessing_public_and_private_instances

| If you are having access problems, please see: https://wikitech.wikimedia.org/wiki/Access#Accessing_public_and_private_instances
| --- /dev/fd/63  2014-03-09 17:25:44.783519345 +0000
| +++ /dev/fd/62  2014-03-09 17:25:44.784519334 +0000
| @@ -286,7 +286,7 @@
|  c9048f79a8f1da62f89b3eeb8c493689  /etc/ssl/certs/b42ff584.0
|  8a2b0f016146ed5f78f8bdd828772803  /etc/ssl/certs/NetLock_Qualified_=Class_QA=_Root.pem
|  f130d662fbfeb1ddc4c35d2e0c67a357  /etc/ssl/certs/Camerfirma_Global_Chambersign_Root.pem
| -750061a18276cd2b4fc8debd90cd947f  /etc/ssl/certs/java/cacerts
| +321edf0746699c5ac1158632a9ad4ea3  /etc/ssl/certs/java/cacerts
|  e0a3a4ecbfc76649d2c9f4f0d2773565  /etc/ssl/certs/a2df7ad7.0
|  47efdfb0853adc341e39d422c96fb36f  /etc/ssl/certs/TC_TrustCenter__Germany__Class_2_CA.pem
|  485bce6d706a2c6ef08e0d8cfd51760d  /etc/ssl/certs/3c860d51.0
| [tim@passepartout ~]$
Comment 3 Tim Landscheidt 2014-03-09 17:29:36 UTC 
No differences in relevant packages:

| [tim@passepartout ~]$ for CMD in 'sudo dpkg -l'; do diff <(ssh tools-login.eqiad.wmflabs "$CMD") <(ssh tools-dev.eqiad.wmflabs "$CMD"); done 

| If you are having access problems, please see: https://wikitech.wikimedia.org/wiki/Access#Accessing_public_and_private_instances

| If you are having access problems, please see: https://wikitech.wikimedia.org/wiki/Access#Accessing_public_and_private_instances
| 28d27
| < ii  automake                                                    1:1.11.3-1ubuntu2                                   Tool for generating GNU Standards-compliant Makefiles
| 75d73
| < ii  dh-autoreconf                                               5ubuntu1                                            debhelper add-on to call autoreconf and clean up after the build
| 1137a1136
| > ii  nmap                                                        5.21-1.1ubuntu1                                     The Network Mapper
| 1215c1214
| < ii  python-coverage                                             3.4-1ubuntu1                                        code coverage tool for Python
| ---
| > ii  python-coverage                                             3.6-1                                               Code coverage measurement for Python
| 1382a1382
| > ii  terminatord                                                 1.0.6.0ppa2                                         Terminator daemon
| [tim@passepartout ~]$
Comment 4 Tim Landscheidt 2014-03-10 02:53:01 UTC 
Ran "strace -f", extracted the following list of filenames, and all are identical on tools-{dev,login}-eqiad:

| /etc/gai.conf
| /etc/gcrypt/fips_enabled
| /etc/gitconfig
| /etc/gnutls/pkcs11.conf
| /etc/host.conf
| /etc/hosts
| /etc/ld.so.cache
| /etc/ld.so.nohwcap
| /etc/ld.so.preload
| /etc/nsswitch.conf
| /etc/pkcs11/modules
| /etc/pkcs11/pkcs11.conf
| /etc/resolv.conf
| /etc/ssl/certs/ca-certificates.crt
| /lib/x86_64-linux-gnu/libcom_err.so.2
| /lib/x86_64-linux-gnu/libcrypt.so.1
| /lib/x86_64-linux-gnu/libc.so.6
| /lib/x86_64-linux-gnu/libdl.so.2
| /lib/x86_64-linux-gnu/libgcrypt.so.11
| /lib/x86_64-linux-gnu/libgpg-error.so.0
| /lib/x86_64-linux-gnu/libkeyutils.so.1
| /lib/x86_64-linux-gnu/libnss_dns.so.2
| /lib/x86_64-linux-gnu/libnss_files.so.2
| /lib/x86_64-linux-gnu/libpthread.so.0
| /lib/x86_64-linux-gnu/libresolv.so.2
| /lib/x86_64-linux-gnu/librt.so.1
| /lib/x86_64-linux-gnu/libz.so.1
| /proc/sys/crypto/fips_enabled
| /usr/bin/git
| /usr/lib/git-core/git-remote-https
| /usr/lib/locale/locale-archive
| /usr/lib/x86_64-linux-gnu/libasn1.so.8
| /usr/lib/x86_64-linux-gnu/libcurl-gnutls.so.4
| /usr/lib/x86_64-linux-gnu/libgnutls.so.26
| /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
| /usr/lib/x86_64-linux-gnu/libgssapi.so.3
| /usr/lib/x86_64-linux-gnu/libhcrypto.so.4
| /usr/lib/x86_64-linux-gnu/libheimbase.so.1
| /usr/lib/x86_64-linux-gnu/libheimntlm.so.0
| /usr/lib/x86_64-linux-gnu/libhx509.so.5
| /usr/lib/x86_64-linux-gnu/libidn.so.11
| /usr/lib/x86_64-linux-gnu/libk5crypto.so.3
| /usr/lib/x86_64-linux-gnu/libkrb5.so.26
| /usr/lib/x86_64-linux-gnu/libkrb5.so.3
| /usr/lib/x86_64-linux-gnu/libkrb5support.so.0
| /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2
| /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
| /usr/lib/x86_64-linux-gnu/libp11-kit.so.0
| /usr/lib/x86_64-linux-gnu/libroken.so.18
| /usr/lib/x86_64-linux-gnu/librtmp.so.0
| /usr/lib/x86_64-linux-gnu/libsasl2.so.2
| /usr/lib/x86_64-linux-gnu/libsqlite3.so.0
| /usr/lib/x86_64-linux-gnu/libtasn1.so.3
| /usr/lib/x86_64-linux-gnu/libwind.so.0
| /usr/share/git-core/templates/
| /usr/share/git-core/templates/branches
| /usr/share/git-core/templates/config
| /usr/share/git-core/templates/description
| /usr/share/git-core/templates/hooks
| /usr/share/git-core/templates/hooks/applypatch-msg.sample
| /usr/share/git-core/templates/hooks/commit-msg.sample
| /usr/share/git-core/templates/hooks/post-update.sample
| /usr/share/git-core/templates/hooks/pre-applypatch.sample
| /usr/share/git-core/templates/hooks/pre-commit.sample
| /usr/share/git-core/templates/hooks/prepare-commit-msg.sample
| /usr/share/git-core/templates/hooks/pre-rebase.sample
| /usr/share/git-core/templates/hooks/update.sample
| /usr/share/git-core/templates/info
| /usr/share/git-core/templates/info/exclude
| /usr/share/locale/en/LC_MESSAGES/git.mo
| /usr/share/locale/en_US/LC_MESSAGES/git.mo
| /usr/share/locale/en_US.utf8/LC_MESSAGES/git.mo
| /usr/share/locale/en_US.UTF-8/LC_MESSAGES/git.mo
| /usr/share/locale/en.utf8/LC_MESSAGES/git.mo
| /usr/share/locale/en.UTF-8/LC_MESSAGES/git.mo
| /usr/share/locale-langpack/en/LC_MESSAGES/git.mo
| /usr/share/locale-langpack/en_US/LC_MESSAGES/git.mo
| /usr/share/locale-langpack/en_US.utf8/LC_MESSAGES/git.mo
| /usr/share/locale-langpack/en_US.UTF-8/LC_MESSAGES/git.mo
| /usr/share/locale-langpack/en.utf8/LC_MESSAGES/git.mo
| /usr/share/locale-langpack/en.UTF-8/LC_MESSAGES/git.mo
| /usr/share/locale/locale.alias
| /var/run/nscd/socket
Comment 5 Matthew Flaschen 2014-03-27 16:58:48 UTC 
Happened on pronunciationrecording.eqiad.wmflabs too.
Comment 6 Tim Landscheidt 2014-09-09 20:29:35 UTC 
I can no longer reproduce this on tools-login or tools-dev.  I'm not aware that someone consciously fixed this, so resolving as WORKSFORME.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links