[llvm-dev] Unable to access Phabricator via arcanist
Chris Tetreault via llvm-dev
I’m having issues using arcanist to access Phabricator this morning. I tried commands from two different machines that worked yesterday, and I’m getting certificate issues:
(from a windows machine, worked yesterday)
$ arc diff
Exception
[cURL/60] (https://reviews.llvm.org/api/user.whoami) <CURLE_SSL_CACERT> There was an error verifying the SSL connection. This usually indicates that the remote host has an SSL certificate for a different domain name than you are connecting with. Make sure the certificate you have installed is signed for the correct domain.
(Run with `--trace` for a full exception trace.)
(from a linux machine, worked recently)
$ arc patch D110747
Exception
[cURL/60] (https://reviews.llvm.org/api/differential.querydiffs) <CURLE_SSL_CACERT> There was an error verifying the SSL Certificate Authority while negotiating the SSL connection. This usually indicates that you are using a self-signed certificate but have not added your CA to the CA bundle. See instructions in "libphutil/resources/ssl/README".
(Run with `--trace` for a full exception trace.)
Is anybody else seeing this? If it’s an issue on my side, has anybody else seen this issue before and knows what I need to do to fix it?
Thanks,
Chris Tetreault
Mehdi AMINI via llvm-dev
What about curl on the command line?
Try: curl https://reviews.llvm.org/
If curl reproduces the issue, there are many tracing/debug options for curl.
Also I don't know if you tried the --trace option that arc suggests
and if it gave more info?
--
Mehdi
> _______________________________________________
> LLVM Developers mailing list
> llvm...@lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
_______________________________________________
LLVM Developers mailing list
llvm...@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
Chris Tetreault via llvm-dev
```
curl https://reviews.llvm.org
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
```
If the problem is purely on my end, I suppose I can take it from here. Thanks for the help!
Thanks,
Chris Tetreault
-----Original Message-----
From: Mehdi AMINI <joke...@gmail.com>
Sent: Thursday, September 30, 2021 10:06 AM
To: Chris Tetreault <ctet...@quicinc.com>
Cc: llvm...@lists.llvm.org
Subject: Re: [llvm-dev] Unable to access Phabricator via arcanist
WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.
Shoaib Meenai via llvm-dev
> (Run with `--trace` for a full exception trace.)
>
>
>
> (from a linux machine, worked recently)
>
> $ arc patch D110747
>
> Exception
>
Rafael Auler via llvm-dev
It looks like somebody also already opened a PR in phacility/arcanist regarding this issue:
https://github.com/phacility/arcanist/pull/259/commits/e3659d43d8911e91739f3b0c5935598bceb859aa
From:
llvm-dev <llvm-dev...@lists.llvm.org> on behalf of Shoaib Meenai via llvm-dev <llvm...@lists.llvm.org>
Date: Thursday, September 30, 2021 at 11:29 AM
To: Chris Tetreault <ctet...@quicinc.com>, Mehdi AMINI <joke...@gmail.com>
Cc: llvm...@lists.llvm.org <llvm...@lists.llvm.org>
Subject: Re: [llvm-dev] Unable to access Phabricator via arcanist
A coworker was running into similar issues internally, and it appeared to be related to https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/ . He had to update custom.pem inside arcanist/resources/ssl (he copied it over from an internal certificate bundle) ... the README in that directory has more information.
Chris Tetreault via llvm-dev
Makes sense. Hopefully upstream arcanist gets this sorted in the next day or two and some official patch or git pull from main will sort it out. I prefer not to go fiddling with ssh configs if possible. In the meantime, I have other fires to put out. 😊 Thanks for doing the legwork and reporting your findings!
Thanks,
Chris Tetreault
Mehdi AMINI via llvm-dev
after the company stopped active development):
https://we.phorge.it/T15051
Seems like on Ubuntu at least they report that "updating the
ca-certificates package resolves the issue".
Tom Stellard via llvm-dev
> It looks like somebody also already opened a PR in phacility/arcanist regarding this issue:
> https://github.com/phacility/arcanist/pull/259/commits/e3659d43d8911e91739f3b0c5935598bceb859aa
>
Hi,
I have submitted a patch for the GettingStarted docs to explain how
to apply this fix: https://reviews.llvm.org/D110976
-Tom
> *From: *llvm-dev <llvm-dev...@lists.llvm.org> on behalf of Shoaib Meenai via llvm-dev <llvm...@lists.llvm.org>
> *Date: *Thursday, September 30, 2021 at 11:29 AM
> *To: *Chris Tetreault <ctet...@quicinc.com>, Mehdi AMINI <joke...@gmail.com>
> *Cc: *llvm...@lists.llvm.org <llvm...@lists.llvm.org>
> *Subject: *Re: [llvm-dev] Unable to access Phabricator via arcanist
>
> A coworker was running into similar issues internally, and it appeared to be related to https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/ <https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/> . He had to update custom.pem inside arcanist/resources/ssl (he copied it over from an internal certificate bundle) ... the README in that directory has more information.
>
> On 9/30/21, 10:25 AM, "llvm-dev on behalf of Chris Tetreault via llvm-dev" <llvm-dev...@lists.llvm.org on behalf of llvm...@lists.llvm.org> wrote:
>
> On both machines, I can go directly to the page. On the windows machine, curl retrieves the page. On the linux machine, I get a similar error:
>
> ```
> curl https://reviews.llvm.org <https://reviews.llvm.org>
> curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
> More details here: http://curl.haxx.se/docs/sslcerts.html <http://curl.haxx.se/docs/sslcerts.html>
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
> ```
>
> If the problem is purely on my end, I suppose I can take it from here. Thanks for the help!
>
> Thanks,
> Chris Tetreault
>
> -----Original Message-----
> From: Mehdi AMINI <joke...@gmail.com>
> Sent: Thursday, September 30, 2021 10:06 AM
> To: Chris Tetreault <ctet...@quicinc.com>
> Cc: llvm...@lists.llvm.org
> Subject: Re: [llvm-dev] Unable to access Phabricator via arcanist
>
> WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.
>
> On this machine, does it work when you use a browser?
>
> What about curl on the command line?
> Try: curl https://reviews.llvm.org/ <https://reviews.llvm.org/>
>
> If curl reproduces the issue, there are many tracing/debug options for curl.
>
> Also I don't know if you tried the --trace option that arc suggests and if it gave more info?
>
> --
> Mehdi
>
>
> On Thu, Sep 30, 2021 at 9:40 AM Chris Tetreault via llvm-dev <llvm...@lists.llvm.org> wrote:
> >
> > I’m having issues using arcanist to access Phabricator this morning. I tried commands from two different machines that worked yesterday, and I’m getting certificate issues:
> >
> >
> >
> > (from a windows machine, worked yesterday)
> >
> > $ arc diff
> >
> > Exception
> >
> > [cURL/60] (https://reviews.llvm.org/api/user.whoami ) <CURLE_SSL_CACERT> There was an error verifying the SSL connection. This usually indicates that the remote host has an SSL certificate for a different domain name than you are connecting with. Make sure the certificate you have installed is signed for the correct domain.
> >
> > (Run with `--trace` for a full exception trace.)
> >
> >
> >
> > (from a linux machine, worked recently)
> >
> > $ arc patch D110747
> >
> > Exception
> >
> > [cURL/60] (https://reviews.llvm.org/api/differential.querydiffs ) <CURLE_SSL_CACERT> There was an error verifying the SSL Certificate Authority while negotiating the SSL connection. This usually indicates that you are using a self-signed certificate but have not added your CA to the CA bundle. See instructions in "libphutil/resources/ssl/README".
> >
> > (Run with `--trace` for a full exception trace.)
> >
> >
> >
> > Is anybody else seeing this? If it’s an issue on my side, has anybody else seen this issue before and knows what I need to do to fix it?
> >
> >
> >
> > Thanks,
> >
> > Chris Tetreault
> >
> > _______________________________________________
> > LLVM Developers mailing list
> > llvm...@lists.llvm.org
> > https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev <https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev>
> _______________________________________________
> LLVM Developers mailing list
> llvm...@lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev <https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev>
>
> _______________________________________________
> LLVM Developers mailing list
> llvm...@lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev <https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev>