View Issue Details

IDProjectCategoryView StatusLast Update
0016119CentOS CI[All Projects] generalpublic2019-05-28 15:03
Reporterevgeni 
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Summary0016119: internal cloud.centos.org mirror certificate expired
DescriptionWhen trying to use Vagrant inside ci.centos.org, cloud.centos.org is served by 172.22.0.40 and that has an expired certificate:

$ curl -vIL https://vagrantcloud.com/centos/boxes/7/versions/1902.01/providers/libvirt.box
* About to connect() to vagrantcloud.com port 443 (#0)
* Trying 52.200.123.104...
* Connected to vagrantcloud.com (52.200.123.104) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=app.vagrantup.com
* start date: Apr 19 23:10:15 2019 GMT
* expire date: Jul 18 23:10:15 2019 GMT
* common name: app.vagrantup.com
* issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> HEAD /centos/boxes/7/versions/1902.01/providers/libvirt.box HTTP/1.1
> User-Agent: curl/7.29.0
> Host: vagrantcloud.com
> Accept: */*
>
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Server: Cowboy
Server: Cowboy
< Date: Tue, 28 May 2019 14:22:07 GMT
Date: Tue, 28 May 2019 14:22:07 GMT
< Connection: keep-alive
Connection: keep-alive
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< X-Xss-Protection: 1; mode=block
X-Xss-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Location: https://app.vagrantup.com/centos/boxes/7/versions/1902.01/providers/libvirt.box
Location: https://app.vagrantup.com/centos/boxes/7/versions/1902.01/providers/libvirt.box
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Cache-Control: no-cache
Cache-Control: no-cache
< X-Request-Id: ca3204e1-467b-4f96-9880-cabfb6925005
X-Request-Id: ca3204e1-467b-4f96-9880-cabfb6925005
< X-Runtime: 0.004978
X-Runtime: 0.004978
< Via: 1.1 vegur
Via: 1.1 vegur

<
* Connection #0 to host vagrantcloud.com left intact
* Issue another request to this URL: 'https://app.vagrantup.com/centos/boxes/7/versions/1902.01/providers/libvirt.box'
* About to connect() to app.vagrantup.com port 443 (#1)
* Trying 35.173.3.255...
* Connected to app.vagrantup.com (35.173.3.255) port 443 (#1)
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* subject: CN=app.vagrantup.com
* start date: Apr 19 23:10:15 2019 GMT
* expire date: Jul 18 23:10:15 2019 GMT
* common name: app.vagrantup.com
* issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
> HEAD /centos/boxes/7/versions/1902.01/providers/libvirt.box HTTP/1.1
> User-Agent: curl/7.29.0
> Host: app.vagrantup.com
> Accept: */*
>
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Server: Cowboy
Server: Cowboy
< Date: Tue, 28 May 2019 14:22:07 GMT
Date: Tue, 28 May 2019 14:22:07 GMT
< Connection: keep-alive
Connection: keep-alive
< X-Frame-Options: SAMEORIGIN
X-Frame-Options: SAMEORIGIN
< X-Xss-Protection: 1; mode=block
X-Xss-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
< Location: https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1902_01.Libvirt.box
Location: https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1902_01.Libvirt.box
< Content-Type: text/html; charset=utf-8
Content-Type: text/html; charset=utf-8
< Cache-Control: no-cache
Cache-Control: no-cache
< X-Request-Id: 98db87c0-5769-46fb-90d7-33512348b66a
X-Request-Id: 98db87c0-5769-46fb-90d7-33512348b66a
< X-Runtime: 0.080025
X-Runtime: 0.080025
< Via: 1.1 vegur
Via: 1.1 vegur

<
* Connection #1 to host app.vagrantup.com left intact
* Issue another request to this URL: 'https://cloud.centos.org/centos/7/vagrant/x86_64/images/CentOS-7-x86_64-Vagrant-1902_01.Libvirt.box'
* About to connect() to cloud.centos.org port 443 (#2)
* Trying 172.22.0.40...
* Connected to cloud.centos.org (172.22.0.40) port 443 (#2)
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* subject: CN=cloud.centos.org
* start date: Feb 25 13:09:17 2019 GMT
* expire date: May 26 13:09:17 2019 GMT
* common name: cloud.centos.org
* issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
* NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)
* Peer's Certificate has expired.
* Closing connection 2
curl: (60) Peer's Certificate has expired.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.
Steps To Reproducecurl -vIL https://vagrantcloud.com/centos/boxes/7/versions/1902.01/providers/libvirt.box
Additional Informationtested as foreman@slave01.ci.centos.org
TagsNo tags attached.

Activities

arrfab

arrfab

2019-05-28 15:03

administrator   ~0034528

As discussed in #centos-devel, CI is using a different node, while external nodes behind cloud.centos.org got the renewed cert.
Puppet had issue to run on that internal node, and also between two steps : being converted from puppet to ansible.
Now fixed and added other check for that internal node (that will need to be replaced though)

Issue History

Date Modified Username Field Change
2019-05-28 14:33 evgeni New Issue
2019-05-28 14:33 evgeni Status new => assigned
2019-05-28 15:03 arrfab Status assigned => resolved
2019-05-28 15:03 arrfab Resolution open => fixed
2019-05-28 15:03 arrfab Note Added: 0034528