Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update CI for Febuary 2025 #156

Merged
merged 2 commits into from
Feb 11, 2025
Merged

Update CI for Febuary 2025 #156

merged 2 commits into from
Feb 11, 2025

Conversation

complexspaces
Copy link
Collaborator

@complexspaces complexspaces commented Jan 31, 2025
edited
Loading

This PR does two things for CI maintenance:

  • Updates real world test certs via running update_valid_ee_certs.rs
    • The new letsencrypt.org certificate is issued by the E6 intermediate instead of E5. To match I updated that chain's intermediate locally by downloading it from https://letsencrypt.org/certificates/.
  • Moves to a non-deprecated Nix cache action, per the current GHA deprecation warning I saw on Update the crate version in README #155.

@complexspaces complexspaces requested a review from djc January 31, 2025 19:37
@complexspaces
Copy link
Collaborator Author

Either I ran the update script wrong or something else bitrotted with it and the certificate update went south. The new one seems completely wrong according to CI.

@complexspaces complexspaces mentioned this pull request Jan 31, 2025
Merged
@complexspaces
ci: update Nix cache to avoid deprecation notice
736b8ea 
```
Magic Nix Cache is deprecated

Magic Nix Cache has been deprecated due to a change in the underlying GitHub APIs and will stop working on 1 February 2025.
To continue caching Nix builds in GitHub Actions, use FlakeHub Cache instead.

Replace...
        uses: DeterminateSystems/magic-nix-cache-action@main

...with...
        uses: DeterminateSystems/flakehub-cache-action@main

For more details: https://dtr.mn/magic-nix-cache-eol
```
@complexspaces
Copy link
Collaborator Author

complexspaces commented Jan 31, 2025
edited
Loading

This is a new failure: cargo test passes locally for me (macOS 15.3 and 15.2) but in CI we are now getting this error I haven't seen before:

---- tests::verification_real_world::tests::letsencrypt stdout ----
thread 'tests::verification_real_world::tests::letsencrypt' panicked at rustls-platform-verifier/src/tests/mod.rs:51:9:
assertion `left == right` failed
  left: Err(InvalidCertificate(Other(OtherError("“letsencrypt.org” certificate is not standards compliant: -67825"))))
 right: Ok(())
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

The error code in the headers corresponds to a generic verification failure, so that error message might be all we have:

errSecVerifyActionFailed                 = -67825,    /* A verify action has failed. */

I'm not sure what would be causing this. If I convert the PEM given to me by Firefox on letsencrypt.org, it matches byte-by-byte compared to what I've checked in and pushed. I think we can rule out it being valid too long because:

  • The end entity is valid for the usual 90 days
  • The updated E6 intermediate doesn't have any longer of a life then the previous E5 one.

@complexspaces
Copy link
Collaborator Author

Someone elsewhere said that they saw this on a production macOS system and it was fixed eventually by updating macOS. I tried running the tests in macOS 15 (macos-latest is still at 14) and 13 runners but the same issue occurs.

@complexspaces complexspaces requested a review from cpu February 11, 2025 21:35
@complexspaces
Copy link
Collaborator Author

complexspaces commented Feb 11, 2025
edited
Loading

As an update here, I was able to finally get the test failures reproducing locally 😦. Out of ideas I just tried updating the LE leaf certificate again since it renewed recently and that seemed to have just fixed the "standards compliance" issue macOS was upset about.

I hope this doesn't happen again in the future because it seems to have just been completely random and opaque.

As CI is now passing: @djc @cpu do you mind stamping this to get #158 unblocked?

@complexspaces complexspaces mentioned this pull request Feb 11, 2025
Merged
@cpu
Copy link
Member

cpu commented Feb 11, 2025

Out of ideas I just tried updating the LE leaf certificate again since it renewed recently and that seemed to have just fixed the "standards compliance" issue macOS was upset about.

So weird! 😕

cpu
cpu approved these changes Feb 11, 2025
View reviewed changes
Copy link
Member

@cpu cpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this

@complexspaces complexspaces merged commit 8c610dd into main Feb 11, 2025
21 checks passed
@complexspaces complexspaces deleted the ci-fixes-jan branch February 11, 2025 21:45
@complexspaces complexspaces changed the title Update CI for January 2025 Update CI for Febuary 2025 Feb 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cpu cpu cpu approved these changes

@ctz ctz ctz approved these changes

@djc djc Awaiting requested review from djc

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@complexspaces @cpu @ctz