Travis CI errors with EMACS_BINARY=emacs-git-snapshot-travis #2120
Comments
|
Thanks for looking into this and opening the ticket. Working against the broken CI is not fun. |
|
I'm taking some time to look at this (if that's okay?) I'm starting by pulling the docker image they use for travis builds (they've published the images) with the intent to reproduce the issue locally. If so then the debugging will go much faster, compared to branching pushing .travis.yml over and over. |
|
It's more than OK - it's much appreciated! |
|
I’m not 100% certain but the problem “feels” intermittent, in particular item 2 below
|
|
The cert for elpa.gnu.org has extra certs: https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org where certificate[0] and certificate[1] are identical. Is the duplication considered "out of order?" because I've seen references to out-of-order certificates in the chain not being supported by gnutls-cli. And indeed, |
|
Might be best to post this to the Emacs dev mailing list, as the maintainers of GNU ELPA are all there and are probably way more knowledgable on the subject than me. |
|
Agree. I’m wondering if it’s the version of gnutls on Ubuntu 14.04. (And why is Travis on such an ancient os?) Newer releases of gnutls may not have a problem with that chain.
… On Dec 9, 2017, at 11:52 PM, Bozhidar Batsov ***@***.***> wrote:
Might be best to post this to the Emacs dev mailing list, as the maintainers of GNU ELPA are all there and are probably way more knowledgable on the subject than me.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
... and success on Ubuntu 16.04 which happens to use gnutls-cli 3.4.10. It suggests how we're going to fix this. |
|
I'm getting close to a solution. Basically the idea is to install a newer version of gnutls-cli for the builds, because the default version that ships in Ubuntu 14.04 is out of date. The actual implementation is a little more involved, unfortunately, because I'm having to build gnutls-cli and one of its dependencies from source, and I'm trying to cache those builds to avoid excessive CI turnaround times. |
Fixes the Travis CI build errors reported in #2120. Diffs to .travis.yml are as follows: (1) I've added some explicit package dependencies into addons.apt.packages. This is basically the compiler toolchain needed to build gnutls from source (2) Configured $HOME/local to be cached by Travis between subsequent builds. This is done with the setting cache.directories. See Travis documentation for further information about the caching of data. Basically, the contents of that folder are rolled up into a tar ball and saved to an S3 bucket whenever the contents change. The tarball is retrieved and installed prior to the start of your CI job. (3) Added a utility script named travis-ci/travis-gnutls.sh which handles the downloading and compiling of the sources. The script is organized so that the version of gnutls can be easily updated whenever needed. Just edit the version numbers in that script and push the change. The script is able to detect when it doesn't have the specific version requested, and when that happens it deletes the cache and rebuilds gnutls. (4) While I was at it, I added emacs 25.3-travis and 26-pretest-travis to the build matrix. Note that git-snapshot-travis now reports itself as being version 27. (Also note, emacs 26 and 27 are still broken builds, but at least now it's not because of the build script itself.)
|
Btw, another approach would be to just use own docker image https://docs.travis-ci.com/user/docker/ Might be better in the long run, and simpler perhaps. |
|
On ubuntu 14.04 you may also be able to run |
|
Hi @timvisher it was a combination of factors including ca-certificates and also the version of gnutls-cli. See #2128 for details. |
|
Cool. Nevermind me. Just lurking and wishing I could help more. :) |
|
@bbatsov, ok to close this? |
|
Sure. |
Is this solved now or...? |
|
Well yes, the TLS certificate / trust issue is fixed. That was a combination of a missing ca-certificates.crt file, and an older version of gnutls-cli being installed. However there are still intermittent network issues causing builds to fail. These issues manifest themselves as disconnects during the download (or update) of other dependencies in the build. That's ticket #2129, and I'm working on that too. |
|
For historical reference: According to this email the format of the TLS cert on elpa.gnu.org was fixed by the FSF server administrators. In principle this means we could attempt to remove the custom "install-gnutls.sh" from the Travis CI builds. But that's probably irrelevant if we move to CircleCI, as I suspect we will. |
Expected behavior
Travis tests should succeed
Actual behavior
Travis tests are failing in the "before_script".
Steps to reproduce the problem
See a recent build, for example
https://travis-ci.org/clojure-emacs/cider/builds/307426738
I noticed this issue when submitting #2111. Copying some of that discussion into a new issue to keep the other ticket clean.
Analysis
With respect to the TLS error in Travis... I think the difference is emacs versions <=25.2 fall back to s_client when gnutls-cli fails, but emacs 26 does not (see discussion in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=766397 and commit
emacs-mirror/emacs@6e45de6)
Even in the failed Travis jobs, there's a point where evm successfully bootstraps itself using emacs-24.3-travis: https://travis-ci.org/clojure-emacs/cider/jobs/307715504#L485-L492
where you see it's the s_client attempt that actually succeeds.
The build failure occurs later, as cask is installing dependencies for emacs-git-snapshot-travis:
https://travis-ci.org/clojure-emacs/cider/jobs/307715504#L879-L885
and you can see there is no s_client fallback attempt.
I poked around a little bit and discovered elpa.gnu.org and melpa.org are using certs from Let's Encrypt. However the Travis CI workers happen to be running Ubuntu 14.04, and I haven't checked, but it seems likely they do not have the CA certs required to complete the chain of trust for those Lets Encrypt certs. If so, then the solution would be to do whatever incantations are necessary in the .travis.yml to make that happen.
Links
For posterity here are some references.
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1373422
https://tools.ietf.org/html/rfc5246
https://www.ssllabs.com/ssltest/analyze.html?d=elpa.gnu.org
https://cryptoreport.websecurity.symantec.com/checker/
The text was updated successfully, but these errors were encountered: