Thread: Animals with old SSL may find no build required
If any of your buildfarm members don't get regular system updates, I recommend checking your SSL setup with "git clone https://git.postgresql.org" and fixing as appropriate. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ now affects verification of the https://git.postgresql.org server certificate. The part about "if clients of your API are using OpenSSL, they must use version 1.1.0 or later" applies to the git https client. Some git builds use GnuTLS instead of OpenSSL. For Debian 8 git (GnuTLS 3.3.8), it sufficed to copy ca-bundle.crt from RHEL7 and set GIT_SSL_CAINFO. Debian 7 git uses GnuTLS 2.12.20-8+deb7u5, which can't even cope with the structure of the new certificates. Hence, I used GIT_SSL_NO_VERIFY for frogfish. This probably would have affected https://buildfarm.postgresql.org/cgi-bin/pgstatus.pl access, too, but I had reverted that one to http:// some time ago. build-farm.conf.sample defaults to git_ignore_mirror_failure=>1. With that setting, if a buildfarm member SSL setup breaks, the member will appear to be functioning, but it will find no changes to test: Sat Oct 2 04:35:22 2021: buildfarm run for frogfish:REL9_6_STABLE starting git version 1.7.10.4 too old for automatic default branch update frogfish:REL9_6_STABLE [04:35:23] checking out source ... frogfish:REL9_6_STABLE [04:35:58] checking if build run needed ... frogfish:REL9_6_STABLE [04:35:58] No build required: last status = Fri Sep 24 23:15:14 2021 GMT, current snapshot = Sat Sep25 14:53:55 2021 GMT, changed files = 0
Noah Misch <noah@leadboat.com> writes:
> build-farm.conf.sample defaults to git_ignore_mirror_failure=>1. With that
> setting, if a buildfarm member SSL setup breaks, the member will appear to be
> functioning, but it will find no changes to test:
> Sat Oct 2 04:35:22 2021: buildfarm run for frogfish:REL9_6_STABLE starting
> git version 1.7.10.4 too old for automatic default branch update
> frogfish:REL9_6_STABLE [04:35:23] checking out source ...
> frogfish:REL9_6_STABLE [04:35:58] checking if build run needed ...
> frogfish:REL9_6_STABLE [04:35:58] No build required: last status = Fri Sep 24 23:15:14 2021 GMT, current snapshot =
SatSep 25 14:53:55 2021 GMT, changed files = 0
FWIW, if you are using run_branches.pl, the failure will happen earlier.
What I am getting on prairiedog is
error getting branches of interest: 500 Can't connect to buildfarm.postgresql.org:443 (certificate verify failed) at
./run_branches.plline 201.
I worked around it for the moment by s/https/http/g in the config file,
but I'm hoping to find where the obsolete trust store is and update it.
(I thought updating perl's Mozilla::CA would do the trick, but nope.)
regards, tom lane
On Sat, Oct 02, 2021 at 10:45:48AM -0400, Tom Lane wrote: > Noah Misch <noah@leadboat.com> writes: > > build-farm.conf.sample defaults to git_ignore_mirror_failure=>1. With that > > setting, if a buildfarm member SSL setup breaks, the member will appear to be > > functioning, but it will find no changes to test: > > > Sat Oct 2 04:35:22 2021: buildfarm run for frogfish:REL9_6_STABLE starting > > git version 1.7.10.4 too old for automatic default branch update > > frogfish:REL9_6_STABLE [04:35:23] checking out source ... > > frogfish:REL9_6_STABLE [04:35:58] checking if build run needed ... > > frogfish:REL9_6_STABLE [04:35:58] No build required: last status = Fri Sep 24 23:15:14 2021 GMT, current snapshot = SatSep 25 14:53:55 2021 GMT, changed files = 0 > > FWIW, if you are using run_branches.pl, the failure will happen earlier. > What I am getting on prairiedog is > > error getting branches of interest: 500 Can't connect to buildfarm.postgresql.org:443 (certificate verify failed) at ./run_branches.plline 201. That will indeed happen first if your config reaches pgstatus.pl via an https:// URL (the default) and meanwhile Perl and git use the same SSL library and certificate store. frogfish does use run_branches.pl, but it doesn't meet those other conditions.