Requests to fetch GitHub patch fails in SCL3

NEW
Unassigned

Status

()

bugzilla.mozilla.org
Infrastructure
P1
normal
a year ago
a year ago

People

(Reporter: emceeaich, Unassigned)

Tracking

Production
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

If a users links a GitHub pull request, splinter should fetch and display the patch.

This is failing in environments running in SCL3, but works in other environments. 

Is there a configuration missing that is blocking this.
dylan, kendall, can you guys take a look at this when you're back in the office?
Flags: needinfo?(klibby)
Flags: needinfo?(dylan)
Yep! I'll provide a script that does the same thing the web head does to help debug what is failing.
Flags: needinfo?(dylan)
I owe a script/test case
Flags: needinfo?(dylan)
NI me again when you've got the script and I'll look.

I see random github fetch errors in the logs (503 Service Unavailable), but I'm able to curl those URLs successfully, as well as the githubusercontent.com pages they 302 to.
Flags: needinfo?(klibby)
Hi, I'm escalating this bug somewhat. Theory is, this is failing due to the SCL3 proxy cluster refusing the requests, which is why running it manually works. I will invoke my IT access now to confirm/reject that.
Flags: needinfo?(dylan) → needinfo?(rsoderberg)
Proxy testing confirmed that the proxies permit these requests, but also found that curl -k can't follow the form of redirect used by Github - and neither can BMO.

n? :dylan to provide more details and the error message he saw.
Flags: needinfo?(rsoderberg) → needinfo?(dylan)
I mistested. curl can follow the redirect. Dylan suggested SNI, which could be the case:

$ openssl s_client -connect patch-diff.githubusercontent.com:443
 0 s:/businessCategory=Private Organization/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Delaware/serialNumber=5157550/street=88 Colin P Kelly, Jr Street/postalCode=94107/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=github.com

$ openssl s_client -connect patch-diff.githubusercontent.com:443 -servername patch-diff.githubusercontent.com
 0 s:/C=US/ST=California/L=San Francisco/O=GitHub, Inc./CN=*.githubusercontent.com
sorry it took so long to get this put together:

cd /data/www/bugzilla.mozilla.org
perl -Ilocal/lib/perl5 -MLWP::UserAgent -E 'my $ua = LWP::UserAgent->new; $ua->proxy("https", "http://squid.proxy.service.consul:3128/"); my $r = $ua->get("https://github.com/mozilla-bteam/bmo/pull/85.diff"); say $r->content'

result: <p>This proxy and the remote host failed to negotiate a mutually acceptable security settings for handling your request. It is possible that the remote host does not support secure connections, or the proxy is not satisfied with the host security credentials.</p>
Flags: needinfo?(dylan)
<p><b>Failed to establish a secure connection to 192.30.255.112</b></p>

<p id="sysmsg">The system returned: <i>(71) Protocol error</i></p>

ERR_SECURE_CONNECT_FAIL

CacheHost: proxy2.dmz.scl3.mozilla.com
You need to log in before you can comment on or make changes to this bug.