1780349 - building docker images fails on Try: Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.

Status: RESOLVED WORKSFORME

(Release Engineering :: Firefox-CI Administration, defect)

Description

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Log: https://treeherder.mozilla.org/logviewer?job_id=384859027&repo=try

E: Failed to fetch https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/WjOakOyvQtCOxQcpuu_k9A/artifacts/public/build/debian/Packages  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 35.190.5.182 443]
E: Failed to fetch https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/at9ZbgI8THCWiCNhpRJhDg/artifacts/public/build/debian/Packages  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 35.190.5.182 443]
E: Some index files failed to download. They have been ignored, or old ones used instead.
error building image: error building stage: failed to execute command: waiting for process to exit: exit status 100
Error: Could not build image.

Comment 1

[Julien Cristau [:jcristau]]

As far as I can tell this is due to https://bugs.debian.org/961889 and the firefox-ci-tc.services.m.c cert chaining to the expired "DST Root CA X3".
The bug was fixed in libgnutls30 3.6.7-4+deb10u5 but we're pinning 3.6.7-4+deb10u3 in the debian10-base docker image.

Mike, can we easily bump the buster snapshot here?

Comment 2

[Mike Hommey [:glandium]]

Yes, bump the dates here:
https://searchfox.org/mozilla-central/rev/c11f54459452dd2f9ab2f9bec4ae03127897d256/taskcluster/ci/docker-image/kind.yml#118,120
and here:
https://searchfox.org/mozilla-central/rev/c11f54459452dd2f9ab2f9bec4ae03127897d256/taskcluster/ci/docker-image/kind.yml#141,143

That said, how come the docker images are triggered on that try?

Comment 3

[Mike Hommey [:glandium]]

(it would be a good time to update all the images still based on debian10 to debian11, btw)

Comment 4

[Mike Hommey [:glandium]]

On recent central, the docker images have this:

# apt policy libgnutls30
libgnutls30:
  Installed: 3.6.7-4+deb10u7
  Candidate: 3.6.7-4+deb10u7
  Version table:
 *** 3.6.7-4+deb10u7 500
        500 http://snapshot.debian.org/archive/debian/20220509T214601Z buster/main amd64 Packages
        100 /var/lib/dpkg/status
     3.6.7-4+deb10u4 500
        500 http://snapshot.debian.org/archive/debian-security/20220509T214601Z buster/updates/main amd64 Packages

Comment 5

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Julien noticed the mozilla-central base revision is older than a year. Andi, please rebase on a recent one and try again.

Comment 6

[Andi [:andi]]

I cannot rebase anything it’s on rMC and not rMOZILLACENTRAL, the later cannot be used as a source for phabricator dev.

Comment 7

[Andi [:andi]]

(In reply to Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout) from comment #5)

Julien noticed the mozilla-central base revision is older than a year. Andi, please rebase on a recent one and try again.

The patch is not based on mozilla-central but on MC and that is one month old. I've talked with sheehan to update it.