-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/build: migrate farmer.golang.org to LetsEncrypt before April 4th 2017 #16442
Comments
That's intentional. It's self-signed and clients of it expected a certain pinned cert. How did you get to that URL? If by hand, this is expected. |
It get's posted by the Gobot in Gerrit. |
Show me an example. I'm pretty sure they're always "http" links. |
You are correct, sorry for the wrong report. |
This is a public record of failed builder runs. It uses a self-signed cert, and there is no plan for that to change. See the discussion at golang/go#16442.
I got sick of this. I've sent a PR to HTTPS Everywhere to fix: EFForg/https-everywhere#8984 |
Actually, our self-signed cert expires "Tuesday, April 4, 2017" (and is a SHA-1 cert). It's probably time we just switched to LetsEncrypt with autocert and updated the reverse buildlets to not require the pinned cert anymore. That's just legacy from when certs were annoying. |
I'm interested in working on this (was just about to open a new issue for this and tip.golang.org) |
This isn't something that can be done easily without access to all the builders. |
CL https://golang.org/cl/38792 mentions this issue. |
The reverse buildlet system predates LetsEncrypt. We previously used a self-signed cert and baked in a self-signed CA into our reverse buildlet binaries. That cert expires April 4th, 2017. Soon. This change makes the buildlets accept either a system CA cert (so we can use LetsEncrypt before April 4th) or we can still use the old cert in the few days before April 4th. It also bumps the version to 9 so we can watch http://farmer.golang.org/#pools and watch the buildlets upgrade as they restart and finish builds. I rebuilt all the buildlet binaries for each platform with reverse buildlets and I see some already on version 9, so it works. Also add s390x to the Makefile (not sure why it was missing?) and disable caching on all the buildlet binaries. The URL query parameter suffix for cache busting no longer seems to work (which builders use). I'm pretty sure it used to work, but maybe it never did. Or maybe Google Cloud Storage changed something. So explicitly set the "no-cache" cache-control value instead so buildlets download the latest binary. Updates golang/go#16442 Change-Id: I69b360c5d53c296ca85fa5c40ea10cb9843d4329 Reviewed-on: https://go-review.googlesource.com/38792 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
CL https://golang.org/cl/38798 mentions this issue. |
…hanges No more self-signed cert on https://farmer.golang.org, so don't do the custom TLS dialing anymore. Just use the standard tls.Dial. Updates golang/go#16442 Change-Id: I2e29cbde3294aaaa74c0e82150ffe985f3639209 Reviewed-on: https://go-review.googlesource.com/39750 Reviewed-by: Keith Randall <khr@golang.org>
Going to https://farmer.golang.org/try?commit=773db5cd produces a SEC_UNKNOWN_ISSUER in Firefox 47 on Windows 8.
The exported certificate looks like this:
-----BEGIN CERTIFICATE-----
MIICljCCAX4CCQDerFGz933ozjANBgkqhkiG9w0BAQUFADANMQswCQYDVQQDEwJn
bzAeFw0xNTA0MDUyMDE0MDlaFw0xNzA0MDQyMDE0MDlaMA0xCzAJBgNVBAMTAmdv
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5DegqvOjndHlwBtxabm
0EbgpPWwVIQM/eOELYrGCvtTPAsQCVQY74/EJBpOfl+bu37hgFU1QEJeACT6S31G
G/b1VCAKe4ltp1rZp+3RMSuvUui3C1Y4QrgN/wQY47OFJqiq9VE2adcVC1PjmIoW
5U0Wy9JaKVn15Uw+Ez2Q+RgBpRRsrdr8tPEy7k/J1hBjkxK550RVsY+nRNimNOR2
dOImNNe8G+fIUbQUQCrRG2pz9IulnfH95Wh6KDUNOIyXdNcFfQEPEIhHaHoJazXV
TQx1znsldlZLLFvw1ULBJ4WXTozP9r5vqdyBBaicqPwrCCF2x8nBsyuhNtjgW/K1
CwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQBSBV5kt5lI6uImGLpWCh5fxeL4WECY
hXS5vnL2Z5pFoHCdOR3goHuHvNuI1J/PnjsYpnPxZAqujXlCeT1MvuVpflpP1qOb
U4mU5aedDETYUfYYeIWxdZRiqDkKg828v5YS5FM+rA3dURQnKYIWKAYw5r577Kfm
bV0aGdnWQYUoId6cySLB7fe4/R9JOAxnCqS82+WZF/oy4ONu/zquxU1qugIOzq3I
rN/faUQTZkmJr+eb5RddNEZ61wwM+sJkbkydpqw17xTSYWv2roHrMGNH41K/NlBr
WyM81JLyaoXhAT1Bh66T55eodas7nXg4U1xjolTXWZ75Cnon34VpHQzI
-----END CERTIFICATE-----
The text was updated successfully, but these errors were encountered: