Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/build: migrate farmer.golang.org to LetsEncrypt before April 4th 2017 #16442

Closed
bystones opened this issue Jul 20, 2016 · 10 comments
Closed

x/build: migrate farmer.golang.org to LetsEncrypt before April 4th 2017 #16442

bystones opened this issue Jul 20, 2016 · 10 comments
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge
Milestone

Comments

@bystones
Copy link

bystones commented Jul 20, 2016

Going to https://farmer.golang.org/try?commit=773db5cd produces a SEC_UNKNOWN_ISSUER in Firefox 47 on Windows 8.

The exported certificate looks like this:

-----BEGIN CERTIFICATE-----
MIICljCCAX4CCQDerFGz933ozjANBgkqhkiG9w0BAQUFADANMQswCQYDVQQDEwJn
bzAeFw0xNTA0MDUyMDE0MDlaFw0xNzA0MDQyMDE0MDlaMA0xCzAJBgNVBAMTAmdv
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5DegqvOjndHlwBtxabm
0EbgpPWwVIQM/eOELYrGCvtTPAsQCVQY74/EJBpOfl+bu37hgFU1QEJeACT6S31G
G/b1VCAKe4ltp1rZp+3RMSuvUui3C1Y4QrgN/wQY47OFJqiq9VE2adcVC1PjmIoW
5U0Wy9JaKVn15Uw+Ez2Q+RgBpRRsrdr8tPEy7k/J1hBjkxK550RVsY+nRNimNOR2
dOImNNe8G+fIUbQUQCrRG2pz9IulnfH95Wh6KDUNOIyXdNcFfQEPEIhHaHoJazXV
TQx1znsldlZLLFvw1ULBJ4WXTozP9r5vqdyBBaicqPwrCCF2x8nBsyuhNtjgW/K1
CwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBSBV5kt5lI6uImGLpWCh5fxeL4WECY
hXS5vnL2Z5pFoHCdOR3goHuHvNuI1J/PnjsYpnPxZAqujXlCeT1MvuVpflpP1qOb
U4mU5aedDETYUfYYeIWxdZRiqDkKg828v5YS5FM+rA3dURQnKYIWKAYw5r577Kfm
bV0aGdnWQYUoId6cySLB7fe4/R9JOAxnCqS82+WZF/oy4ONu/zquxU1qugIOzq3I
rN/faUQTZkmJr+eb5RddNEZ61wwM+sJkbkydpqw17xTSYWv2roHrMGNH41K/NlBr
WyM81JLyaoXhAT1Bh66T55eodas7nXg4U1xjolTXWZ75Cnon34VpHQzI
-----END CERTIFICATE-----

@bradfitz
Copy link
Contributor

That's intentional. It's self-signed and clients of it expected a certain pinned cert.

How did you get to that URL? If by hand, this is expected.

@bystones
Copy link
Author

It get's posted by the Gobot in Gerrit.

@bradfitz
Copy link
Contributor

Show me an example. I'm pretty sure they're always "http" links.

@bystones
Copy link
Author

You are correct, sorry for the wrong report.
It was the HTTPS Everywhere addon rewriting the URL.

josharian added a commit to josharian/https-everywhere that referenced this issue Mar 10, 2017
This is a public record of failed builder runs.
It uses a self-signed cert, and there is
no plan for that to change.
See the discussion at golang/go#16442.
@josharian
Copy link
Contributor

I got sick of this. I've sent a PR to HTTPS Everywhere to fix: EFForg/https-everywhere#8984

@bradfitz
Copy link
Contributor

Actually, our self-signed cert expires "Tuesday, April 4, 2017" (and is a SHA-1 cert). It's probably time we just switched to LetsEncrypt with autocert and updated the reverse buildlets to not require the pinned cert anymore. That's just legacy from when certs were annoying.

@bradfitz bradfitz self-assigned this Mar 10, 2017
@bradfitz bradfitz reopened this Mar 10, 2017
@bradfitz bradfitz changed the title broken certificate for farmer.golang.org x/build: migrate farmer.golang.org to LetsEncrypt before April 4th 2017 Mar 10, 2017
@bradfitz bradfitz added this to the Unreleased milestone Mar 21, 2017
@gopherbot gopherbot added the Builders x/build issues (builders, bots, dashboards) label Mar 21, 2017
@kevinburke
Copy link
Contributor

I'm interested in working on this (was just about to open a new issue for this and tip.golang.org)

@bradfitz
Copy link
Contributor

This isn't something that can be done easily without access to all the builders.

@gopherbot
Copy link

CL https://golang.org/cl/38792 mentions this issue.

gopherbot pushed a commit to golang/build that referenced this issue Mar 30, 2017
The reverse buildlet system predates LetsEncrypt.

We previously used a self-signed cert and baked in a self-signed CA
into our reverse buildlet binaries. That cert expires April 4th,
2017. Soon.

This change makes the buildlets accept either a system CA cert (so we
can use LetsEncrypt before April 4th) or we can still use the old cert
in the few days before April 4th.

It also bumps the version to 9 so we can watch
http://farmer.golang.org/#pools and watch the buildlets upgrade as
they restart and finish builds. I rebuilt all the buildlet binaries
for each platform with reverse buildlets and I see some already on
version 9, so it works.

Also add s390x to the Makefile (not sure why it was missing?) and
disable caching on all the buildlet binaries. The URL query parameter
suffix for cache busting no longer seems to work (which builders
use). I'm pretty sure it used to work, but maybe it never did. Or
maybe Google Cloud Storage changed something. So explicitly set the
"no-cache" cache-control value instead so buildlets download the
latest binary.

Updates golang/go#16442

Change-Id: I69b360c5d53c296ca85fa5c40ea10cb9843d4329
Reviewed-on: https://go-review.googlesource.com/38792
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
@gopherbot
Copy link

CL https://golang.org/cl/38798 mentions this issue.

gopherbot pushed a commit to golang/build that referenced this issue Apr 6, 2017
…hanges

No more self-signed cert on https://farmer.golang.org, so don't do the custom
TLS dialing anymore. Just use the standard tls.Dial.

Updates golang/go#16442

Change-Id: I2e29cbde3294aaaa74c0e82150ffe985f3639209
Reviewed-on: https://go-review.googlesource.com/39750
Reviewed-by: Keith Randall <khr@golang.org>
@golang golang locked and limited conversation to collaborators Apr 2, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Builders x/build issues (builders, bots, dashboards) FrozenDueToAge
Projects
None yet
Development

No branches or pull requests

5 participants