Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/tools: gopls@go1.12 kokoro CI failing due to certificate expiry #48713

Closed
findleyr opened this issue Oct 1, 2021 · 9 comments
Closed

x/tools: gopls@go1.12 kokoro CI failing due to certificate expiry #48713

findleyr opened this issue Oct 1, 2021 · 9 comments
Labels
FrozenDueToAge gopls Issues related to the Go language server, gopls. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Tools This label describes issues relating to any tools in the x/tools repository.

Comments

@findleyr
Copy link
Contributor

findleyr commented Oct 1, 2021

Our legacy gopls CI is failing at Go 1.12 with the following error:

fatal: unable to access 'https://gopkg.in/check.v1/': server certificate verification failed. CAfile: none CRLfile: none

I'll disable this builder temporarily while I look into the fix.
@findleyr findleyr added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Oct 1, 2021
@findleyr findleyr self-assigned this Oct 1, 2021
@gopherbot gopherbot added the Tools This label describes issues relating to any tools in the x/tools repository. label Oct 1, 2021
@gopherbot gopherbot added this to the Unreleased milestone Oct 1, 2021
@findleyr findleyr added the gopls Issues related to the Go language server, gopls. label Oct 1, 2021
@findleyr
Copy link
Contributor Author

findleyr commented Oct 1, 2021

(related: #48700)

@findleyr
Copy link
Contributor Author

findleyr commented Oct 1, 2021

The problematic 1.12 build is disabled. Failures can be retried by commenting 'kokoro rerun' on the broken CL.

@BewareMyPower
Copy link

I see similar problems in Ubuntu container.

go: gopkg.in/check.v1@v1.0.0-20190902080502-41f04d3bba15: git fetch -f https://gopkg.in/check.v1 refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /go/pkg/mod/cache/vcs/7e5fa1eab4705eb80c9746632736cea906708d060702d529df6241d1c8c2c9f9: exit status 128:
	fatal: unable to access 'https://gopkg.in/check.v1/': server certificate verification failed. CAfile: none CRLfile: none
go: gopkg.in/check.v1@v1.0.0-20180628173108-788fd7840127: unknown revision 788fd7840127
go: finding golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5
go: gopkg.in/tomb.v1@v1.0.0-20141024135613-dd632973f1e7: git fetch -f https://gopkg.in/tomb.v1 refs/heads/*:refs/heads/* refs/tags/*:refs/tags/* in /go/pkg/mod/cache/vcs/95acae1f863cd3698780e83ddc42f6ad6cd0ab1cb79143808a7de7300ae4df93: exit status 128:
	fatal: unable to access 'https://gopkg.in/tomb.v1/': server certificate verification failed. CAfile: none CRLfile: none

I found a Reddit thread about this problem: https://www.reddit.com/r/golang/comments/pz65s1/is_gopkgin_down_again/

I tried to run update-ca-certificates --fresh in Ubuntu container but it doesn't work.

@findleyr
Copy link
Contributor Author

findleyr commented Oct 7, 2021

This is fixed for x/tools by setting an explicit GOPROXY value.

@findleyr findleyr closed this as completed Oct 7, 2021
@dpramani
Copy link

dpramani commented Oct 8, 2021

Hi Findleyr

Thanks for looking into this.
Can you please elaborate on how we can get past this ?
I am also getting the same error as @BewareMyPower, followed by error loading modules.

Thanks

@dpramani
Copy link

The reddit thread helped me. Thanks @BewareMyPower
https://www.reddit.com/r/golang/comments/pz65s1/is_gopkgin_down_again/hfkso9g/

Added the following command to my service inside docker compose.
command: > sh -c "apt update && apt install ca-certificates libgnutls30 -y && go test ./..."

Thanks

@findleyr
Copy link
Contributor Author

Ack, thanks.

In my case I set GOPROXY=https://proxy.golang.org (I had wanted to use the proxy for 1.12 CI anyway).

@dpramani
Copy link

dpramani commented Oct 11, 2021
edited

Yeah I did that too. The modules were loading fine with that. But I have a rabbitmq dependency in my service. I was facing issues with connecting to that container. So went with the above solution but GOPROXY=https://proxy.golang.org inside service's enviroment, will also work. @findleyr Thanks for that solution.

@dpramani dpramani mentioned this issue Oct 11, 2021
Closed
@stamblerre stamblerre removed this from the gopls/on-deck milestone Oct 11, 2021
@niemeyer
Copy link
Contributor

For the record, the issue here is that these clients have an outdated root certificate bundle with an expired certificate. The certificate we use in gopkg.in is up-to-date according to the current Let's Encrypt root certs.

There are more details about the issue here:

https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

@golang golang locked and limited conversation to collaborators Jun 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge gopls Issues related to the Go language server, gopls. NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. Tools This label describes issues relating to any tools in the x/tools repository.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@niemeyer @stamblerre @gopherbot @BewareMyPower @dpramani @findleyr