building docker images fails on Try: Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.
Categories
(Release Engineering :: Firefox-CI Administration, defect)
Tracking
(Not tracked)
People
(Reporter: aryx, Unassigned)
References
Details
Log: https://treeherder.mozilla.org/logviewer?job_id=384859027&repo=try
E: Failed to fetch https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/WjOakOyvQtCOxQcpuu_k9A/artifacts/public/build/debian/Packages Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 35.190.5.182 443]
E: Failed to fetch https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/at9ZbgI8THCWiCNhpRJhDg/artifacts/public/build/debian/Packages Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate. Could not handshake: Error in the certificate verification. [IP: 35.190.5.182 443]
E: Some index files failed to download. They have been ignored, or old ones used instead.
error building image: error building stage: failed to execute command: waiting for process to exit: exit status 100
Error: Could not build image.
Comment 1•2 years ago
|
||
As far as I can tell this is due to https://bugs.debian.org/961889 and the firefox-ci-tc.services.m.c cert chaining to the expired "DST Root CA X3".
The bug was fixed in libgnutls30 3.6.7-4+deb10u5 but we're pinning 3.6.7-4+deb10u3 in the debian10-base docker image.
Mike, can we easily bump the buster snapshot here?
Comment 2•2 years ago
|
||
Yes, bump the dates here:
https://searchfox.org/mozilla-central/rev/c11f54459452dd2f9ab2f9bec4ae03127897d256/taskcluster/ci/docker-image/kind.yml#118,120
and here:
https://searchfox.org/mozilla-central/rev/c11f54459452dd2f9ab2f9bec4ae03127897d256/taskcluster/ci/docker-image/kind.yml#141,143
That said, how come the docker images are triggered on that try?
Comment 3•2 years ago
|
||
(it would be a good time to update all the images still based on debian10 to debian11, btw)
Comment 4•2 years ago
|
||
On recent central, the docker images have this:
# apt policy libgnutls30
libgnutls30:
Installed: 3.6.7-4+deb10u7
Candidate: 3.6.7-4+deb10u7
Version table:
*** 3.6.7-4+deb10u7 500
500 http://snapshot.debian.org/archive/debian/20220509T214601Z buster/main amd64 Packages
100 /var/lib/dpkg/status
3.6.7-4+deb10u4 500
500 http://snapshot.debian.org/archive/debian-security/20220509T214601Z buster/updates/main amd64 Packages
Reporter | ||
Comment 5•2 years ago
|
||
Julien noticed the mozilla-central base revision is older than a year. Andi, please rebase on a recent one and try again.
Comment 6•2 years ago
•
|
||
I cannot rebase anything it’s on rMC and not rMOZILLACENTRAL, the later cannot be used as a source for phabricator dev.
Comment 7•2 years ago
|
||
(In reply to Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout) from comment #5)
Julien noticed the mozilla-central base revision is older than a year. Andi, please rebase on a recent one and try again.
The patch is not based on mozilla-central but on MC and that is one month old. I've talked with sheehan to update it.
Updated•2 years ago
|
Description
•