StarlingX

build-wheel-tarball.sh fails due to expired certificate

Bug #1946122 reported by Scott Little
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Scott Little

Bug Description

Brief Description
-----------------
build-wheel-tarball.sh fails due to expired certificate

Severity
--------
Provide the severity of the defect.
Critical: Can't build wheels, nor caontainers that depend on wheels

Steps to Reproduce
------------------
build-wheel-tarball.sh

Expected Behavior
------------------
The wheel tarball is built

Actual Behavior
----------------
The wheel tarball failes to build

Reproducibility
---------------
100%

System Configuration
--------------------
N/A

Branch/Pull Time/Commit
-----------------------
October 4, 2021

Last Pass
---------
Sept 27, 2021

Timestamp/Logs
--------------
00:21:00.906 Running: wget https://opendev.org/openstack/requirements/raw/commit/2da5c5045118b0e36fb14427872e4b9b37335071/global-requirements.txt
00:21:00.911 --2021-10-05 14:33:36-- https://opendev.org/openstack/requirements/raw/commit/2da5c5045118b0e36fb14427872e4b9b37335071/global-requirements.txt
00:21:00.927 Resolving opendev.org (opendev.org)... 38.108.68.124, 2604:e100:3:0:f816:3eff:fe6b:ad62
00:21:00.933 Connecting to opendev.org (opendev.org)|38.108.68.124|:443... connected.
00:21:01.153 ERROR: cannot verify opendev.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’:
00:21:01.153 Issued certificate has expired.

Test Activity
-------------
Build

Workaround
----------
N/A

Scott Little (slittle1)
Changed in starlingx:
assignee: nobody → Scott Little (slittle1)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/812524

Changed in starlingx:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to root (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/root/+/812525

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/812524
Committed: https://opendev.org/starlingx/tools/commit/874f70f91fe18a5db8cc0e571141047616dcf09b
Submitter: "Zuul (22348)"
Branch: master

commit 874f70f91fe18a5db8cc0e571141047616dcf09b
Author: Scott Little <email address hidden>
Date: Tue Oct 5 12:08:34 2021 -0400

    Update ca-certificates in various docker build environments

    Partial-bug: 1946122
    Signed-off-by: Scott Little <email address hidden>
    Change-Id: I82f4cdb8cf65aeae7e2b0e9f382c03cd53a40da4

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to root (master)

Reviewed: https://review.opendev.org/c/starlingx/root/+/812525
Committed: https://opendev.org/starlingx/root/commit/5c4f09d81b589f4face2a9d55affba39bc534a70
Submitter: "Zuul (22348)"
Branch: master

commit 5c4f09d81b589f4face2a9d55affba39bc534a70
Author: Scott Little <email address hidden>
Date: Tue Oct 5 12:02:34 2021 -0400

    Update ca-certificates in various docker build environments

    The ca-certificates in our docker build environments expired
    on Oct 1 2021. The ca-certificates package needs to be updated
    within each container.

    Closes-bug: 1946122
    Signed-off-by: Scott Little <email address hidden>
    Change-Id: If9b89d8a13f5924f28857382aee302bec3b0dca5

Revision history for this message
JunyoungHwang (juuns) wrote :

tools/tb.sh create log

Step 16/49 : RUN yum update -y ca-certificates
 ---> Running in 7e18c3f857a3
Loaded plugins: ovl, product-id, search-disabled-repos, subscription-manager

This system is not registered with an entitlement server. You can use subscription-manager to register.

No packages marked for update
Removing intermediate container 7e18c3f857a3

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to tools (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/tools/+/812725

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to tools (master)

Reviewed: https://review.opendev.org/c/starlingx/tools/+/812725
Committed: https://opendev.org/starlingx/tools/commit/42ed52288079ceef8a7edb15441f1e25e1165b9b
Submitter: "Zuul (22348)"
Branch: master

commit 42ed52288079ceef8a7edb15441f1e25e1165b9b
Author: Scott Little <email address hidden>
Date: Wed Oct 6 11:47:01 2021 -0400

    Update ca-certificates to pull from Centos 7.9

    https download fails with errors such as...

    00:21:13.479 ERROR: cannot verify opendev.org's certificate, issued by
    ‘/C=US/O=Let's Encrypt/CN=R3’:
    00:21:13.479 Issued certificate has expired.

    The upstream root certificate expire on Oct 1, 2021.

    ca-certificates needs to be updated to version 2021.2.50
    but that version is only available in Centos 7.9 or newer.
    This build container is locked down to Centos 7.8 without
    updates.

    This update adds repo definitions for 7.9 and 7.8 updates,
    but sets them to disabled by default.

    When updating ca-certificates I temporarily enable the
    Centos 7.9 updates repo.

    I also disable the yum module that causes the
    "system is not registered with an entitlement server"
    messages, but those messages turned out to NOT be the root
    cause of ca-certificates failure to update.

    Closes-bug: 1946151
    Closes-bug: 1946122
    Signed-off-by: Scott Little <email address hidden>
    Change-Id: I7ac47582e731ec5003f76ddfa24331ca87e1bf6c

Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → High
tags: added: stx.6.0 stx.build
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.