RESOLVED FIXED 204513
results.webkit.org: High Sierra bots don't have the right root certificate 
https://bugs.webkit.org/show_bug.cgi?id=204513
Summary results.webkit.org: High Sierra bots don't have the right root certificate
Aakash Jain
Reported 2019-11-22 06:22:43 PST
Reporting of JSC tests from build.webkit.org to results.webkit.org is failing. Issue #1: https://build.webkit.org/builders/Apple%20High%20Sierra%20Release%20JSC%20%28Tests%29/builds/12102/steps/jscore-test/logs/stdio curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure. Issue #2: https://build.webkit.org/builders/JSCOnly%20Linux%20ARMv7%20Thumb2%20Release/builds/10114/steps/jscore-test/logs/stdio 32bit JSConly bots are failing with: "Cannot determine platform".
Attachments
Add attachment proposed patch, testcase, etc.
Aakash Jain
Comment 1 2019-11-22 06:24:33 PST
Reporting was enabled in Bug 204364 and Bug 204091.
Jonathan Bedard
Comment 2 2019-11-22 07:43:23 PST
These are two very separate issues and should be separate bugs. The first is because High Sierra has old root certificates....I'm kind of surprised we haven't had to address this yet for other reasons. It's not a huge deal because the failure to report doesn't fail the test run, I'll talk to Ling today. The second bit is because we don't have complete platform checks in perl code, like we do in Python. I don't have access to the hardware our 32 bit JSC Only bots are running on, we need configurationForUpload() to use a sensible platform name for that configuration. It won't we much code.
Alexey Proskuryakov
Comment 3 2019-11-22 08:22:25 PST
> The first is because High Sierra has old root certificates....I'm kind of > surprised we haven't had to address this yet for other reasons. It's not a > huge deal because the failure to report doesn't fail the test run, I'll talk > to Ling today. High Sierra is supposed to have all certificates needed on public internet. It seems more likely that the endpoint requires a private Apple root of some sort, which would be a server side issue.
Jonathan Bedard
Comment 4 2019-11-22 08:50:54 PST
(In reply to Alexey Proskuryakov from comment #3) > > The first is because High Sierra has old root certificates....I'm kind of > > surprised we haven't had to address this yet for other reasons. It's not a > > huge deal because the failure to report doesn't fail the test run, I'll talk > > to Ling today. > > High Sierra is supposed to have all certificates needed on public internet. > It seems more likely that the endpoint requires a private Apple root of some > sort, which would be a server side issue. I don't know that it's that simple, we have another High Sierra bot that's reporting just fine: https://build.webkit.org/builders/Apple%20High%20Sierra%20LLINT%20CLoop%20%28BuildAndTest%29/builds/18802 Guess we have to figure out what our configuration differences are...
Alexey Proskuryakov
Comment 5 2019-11-22 09:35:04 PST
Could it be that we papered over the problem by installing root certificate on some of the bots before?
Jonathan Bedard
Comment 7 2019-12-03 15:23:40 PST
I resolved this server side.
Aakash Jain
Comment 8 2019-12-03 15:26:26 PST
(In reply to Jonathan Bedard from comment #7) > I resolved this server side. Was it due to missing certificate chain?
Note You need to log in before you can comment on or make changes to this bug.