RESOLVED FIXED 202837
results.webkit.org: Sort out certificates on Catalina 
https://bugs.webkit.org/show_bug.cgi?id=202837
Summary results.webkit.org: Sort out certificates on Catalina
Jonathan Bedard
Reported 2019-10-10 18:22:46 PDT
For some reason, our Catalina bots can't verify the results.webkit.org certificate when posting via requests.
Attachments
Patch for landing (1.61 KB, patch)
2019-12-03 15:42 PST, Jonathan Bedard 		no flags
DetailsFormatted DiffDiff
Patch (2.54 KB, patch)
2020-04-30 12:13 PDT, Jonathan Bedard 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Jonathan Bedard
Comment 1 2019-10-10 18:26:37 PDT
As a temporary measure, I'm going to disable verification for results.webkit.org until we get our certificates sorted out
Jonathan Bedard
Comment 2 2019-10-10 18:30:32 PDT
Committed r250997: <https://trac.webkit.org/changeset/250997>
Radar WebKit Bug Importer
Comment 3 2019-10-10 18:31:14 PDT
<rdar://problem/56177210>
Jonathan Bedard
Comment 4 2019-10-10 18:31:47 PDT
WebKit patch closed the bug. To be clear, the issue is not resolved, the landed change just works around it temporarily.
Jonathan Bedard
Comment 5 2019-12-03 15:42:16 PST
Created attachment 384763 [details] Patch for landing
Jonathan Bedard
Comment 6 2019-12-03 15:47:27 PST
We've figured out the issue server-side, removing the insecure work-around.
WebKit Commit Bot
Comment 7 2019-12-03 15:59:27 PST
Comment on attachment 384763 [details] Patch for landing Clearing flags on attachment: 384763 Committed r253069: <https://trac.webkit.org/changeset/253069>
WebKit Commit Bot
Comment 8 2019-12-03 15:59:28 PST
All reviewed patches have been landed. Closing bug.
Jonathan Bedard
Comment 9 2019-12-04 11:02:40 PST
Reverted r253069 for reason: requests not handling certificate chain correctly in Catalina Committed r253117: <https://trac.webkit.org/changeset/253117>
Jonathan Bedard
Comment 10 2019-12-04 11:04:01 PST
I though I had this fixed, but apparently I didn't test enough. I think there is something wrong with our Python SSL libraries on Catalina. Curl is happy using the same ca file that requests is relying on, so I think our issue is no longer server-side.
Jonathan Bedard
Comment 11 2020-04-30 12:04:39 PDT
Thanks to Philippe Normand for pointing out our problem, we had an incomplete certificate chain server-side. Now that this is resolved, we should be able to remove verify=False.
Jonathan Bedard
Comment 12 2020-04-30 12:13:21 PDT
Created attachment 398076 [details] Patch
Aakash Jain
Comment 13 2020-04-30 12:59:14 PDT
rs=me
EWS
Comment 14 2020-04-30 14:15:25 PDT
Committed r260965: <https://trac.webkit.org/changeset/260965> All reviewed patches have been landed. Closing bug and clearing flags on attachment 398076 [details].
Note You need to log in before you can comment on or make changes to this bug.