Bug 204513
| Summary: | results.webkit.org: High Sierra bots don't have the right root certificate | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Aakash Jain <aakash_jain> |
| Component: | Tools / Tests | Assignee: | Jonathan Bedard <jbedard> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | aakash_jain, ap, jbedard, pmatos |
| Priority: | P2 | ||
| Version: | Other | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: |
https://bugs.webkit.org/show_bug.cgi?id=204091 https://bugs.webkit.org/show_bug.cgi?id=204364 https://bugs.webkit.org/show_bug.cgi?id=204526 https://bugs.webkit.org/show_bug.cgi?id=202837 |
||
Aakash Jain
Reporting of JSC tests from build.webkit.org to results.webkit.org is failing.
Issue #1:
https://build.webkit.org/builders/Apple%20High%20Sierra%20Release%20JSC%20%28Tests%29/builds/12102/steps/jscore-test/logs/stdio
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Issue #2:
https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Thumb2%20Release/builds/10114/steps/jscore-test/logs/stdio
32bit JSConly bots are failing with: "Cannot determine platform".
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Aakash Jain
Reporting was enabled in Bug 204364 and Bug 204091.
Jonathan Bedard
These are two very separate issues and should be separate bugs.
The first is because High Sierra has old root certificates....I'm kind of surprised we haven't had to address this yet for other reasons. It's not a huge deal because the failure to report doesn't fail the test run, I'll talk to Ling today.
The second bit is because we don't have complete platform checks in perl code, like we do in Python. I don't have access to the hardware our 32 bit JSC Only bots are running on, we need configurationForUpload() to use a sensible platform name for that configuration. It won't we much code.
Alexey Proskuryakov
> The first is because High Sierra has old root certificates....I'm kind of
> surprised we haven't had to address this yet for other reasons. It's not a
> huge deal because the failure to report doesn't fail the test run, I'll talk
> to Ling today.
High Sierra is supposed to have all certificates needed on public internet. It seems more likely that the endpoint requires a private Apple root of some sort, which would be a server side issue.
Jonathan Bedard
(In reply to Alexey Proskuryakov from comment #3)
> > The first is because High Sierra has old root certificates....I'm kind of
> > surprised we haven't had to address this yet for other reasons. It's not a
> > huge deal because the failure to report doesn't fail the test run, I'll talk
> > to Ling today.
>
> High Sierra is supposed to have all certificates needed on public internet.
> It seems more likely that the endpoint requires a private Apple root of some
> sort, which would be a server side issue.
I don't know that it's that simple, we have another High Sierra bot that's reporting just fine:
https://build.webkit.org/builders/Apple%20High%20Sierra%20LLINT%20CLoop%20%28BuildAndTest%29/builds/18802
Guess we have to figure out what our configuration differences are...
Alexey Proskuryakov
Could it be that we papered over the problem by installing root certificate on some of the bots before?
Paulo Matos
FYI, this applies to the igalia bots as well: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Thumb2%20Release/builds/10174/steps/jscore-test/logs/stdio/text
Jonathan Bedard
I resolved this server side.
Aakash Jain
(In reply to Jonathan Bedard from comment #7)
> I resolved this server side.
Was it due to missing certificate chain?