Skip to content
This repository has been archived by the owner on Jun 4, 2021. It is now read-only.

Pushes to gitlab fail with SSL error #150

Open
nlopezgi opened this issue May 1, 2019 · 6 comments
Open

Pushes to gitlab fail with SSL error #150

nlopezgi opened this issue May 1, 2019 · 6 comments

Comments

@nlopezgi
Copy link

nlopezgi commented May 1, 2019

from bazelbuild/rules_docker#820:

When attempting to run a docker push through a container_push rule to a registry.gitlab.com target, I am recieving the following error:
registry.gitlab.com/gauntletwizard/bazel-go:{BUILD_EMBED_LABEL} was resolved to registry.gitlab.com/gauntletwizard/bazel-go:foo
F0430 20:27:05.873595 4586 fast_pusher_.py:194] Error publishing registry.gitlab.com/gauntletwizard/bazel-go:foo: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)

Users report they have made no change to their dependencies. Error is coming from containerregistry libraries so posting here. My suspicion is something changed in registry.gitlab.com that makes it so that containerregistry is no longer being able to validate certificates.
@nlopezgi nlopezgi mentioned this issue May 1, 2019
Closed
@GauntletWizard GauntletWizard mentioned this issue May 1, 2019
Closed
@s-garg
Copy link

s-garg commented May 2, 2019

@nlopezgi Is there a way to set PYTHONHTTPSVERIFY property in bazel, such that it trickles down to containerregistry? (found this thread to turn off cert verification in python: http://blog.pengyifan.com/how-to-fix-python-ssl-certificate_verify_failed/)

Also is it possible to figure out for which URL cert verification is failing? The SSL cert for https://registry.gitlab.com seems to be fine - current cert is valid from March 23rd, 2019 - May 22nd, 2020.

@s-garg
Copy link

s-garg commented May 6, 2019
edited
Loading

The issue is coming from httplib2. You can reproduce the issue using the following python code:
import httplib2
h = httplib2.Http()
h.request('https://registry.gitlab.com')

And the issue can be resolved by adding the root certificate to the Http definition.

import httplib2
h = httplib2.Http('./USERTrustRSACertificationAuthority.crt')
h.request('https://registry.gitlab.com')

The root certificates used by httplib2 are coming from the cacerts.txt file.
(https://github.com/httplib2/httplib2/blob/master/python2/httplib2/cacerts.txt)

registry.gitlab.com probably switched the root CA last week and that has triggered the problem.

I don't see any option in the containerregistry registry code to specify a CACerts file.
I see three open PRs related to configuring CA Certs.

However, they have been open for a while. Is there any workaround for this problem that others have used?

@KaylaNguyen
Copy link
Contributor

I'll try updating httplib2 for containerregistry.

@arcticwaters
Copy link

Until support is available in httplib2, use an http_archive patch: https://gist.github.com/arcticwaters/d3310d2b6e362a277501615c6ff07878. This patch works for gitlab.

Containerregistry won't register that repository if one is already defined so it has to go at the top of your WORKSPACE. Downside: you'll have to remember to update when containerregistry updates httplib2.

@s-garg
Copy link

s-garg commented May 11, 2019

I came up with my own hack to get it to work. But the patch approach seems better. Thanks for sharing!

@yu2003w yu2003w mentioned this issue May 12, 2019
Closed
@palvarez89
Copy link

This is still a problem. Is anybody looking into it?

finnball pushed a commit to CodethinkLabs/remote-apis-testing that referenced this issue May 31, 2019
patch bb-remote-execution httplib2
ec4b641 
google/containerregistry#150 (comment)
@jonjohnsonjr jonjohnsonjr mentioned this issue Mar 5, 2020
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@s-garg @palvarez89 @nlopezgi @arcticwaters @KaylaNguyen