Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Tests] exclude expired LetsEncrypt CA #2623

Merged
merged 1 commit into from
Oct 6, 2021
Merged

[Tests] exclude expired LetsEncrypt CA #2623

merged 1 commit into from
Oct 6, 2021

Conversation

rickbutton
Copy link

🤷‍♂️ who knows if this works lets find out

@ljharb
Copy link
Member

ljharb commented Oct 6, 2021

Worth a shot! I just tried https://app.travis-ci.com/github/nvm-sh/nvm/jobs/541600178 and it didn't work, but this is slightly different.

@ljharb
Copy link
Member

ljharb commented Oct 6, 2021

Sadly no, same failure :-/

Let's keep this open tho and use it for experimentation.

@ljharb ljharb added the testing Stuff related to testing nvm itself. label Oct 6, 2021
@ljharb
[Tests] blacklist expired LetsEncrypt CA
2bda9fd 
workaround for TravisCI's ubuntu 16.04
@rickbutton rickbutton force-pushed the patch-1 branch 2 times, most recently from c413b8a to ca339bb Compare October 6, 2021 05:54
@rickbutton
Copy link
Author

rickbutton commented Oct 6, 2021
edited
Loading

I think I've fixed it by replacing

mozilla/DST_Root_CA_X3.crt

with

!mozilla/DST_Root_CA_X3.crt

in /etc/ca-certificates.conf and running update-ca-certificates which will blacklist that specific expired CA certficate. For whatever reason curl is still failing with the openssl bug that forces the expired cert to be chosen even after updating, but just dropping the cert will fix it. Any downstream LetsEncrypt certs that aren't expired can use the new chain, so should be fine.

thanks for the nerd snipe :)

@ljharb
Copy link
Member

ljharb commented Oct 6, 2021

ooh! thank you!!

travis folks also just suggested:
sudo apt update && sudo apt install libgnutls-openssl27 libgnutls30

i'm going to try that real quick to see if that works, because that'll be a bit less hacky than the sed :-)

@ljharb
Copy link
Member

ljharb commented Oct 6, 2021

Their suggestion fixes the curl tests, but not the wget tests. I'm waiting to hear back from them.

@ljharb ljharb changed the title fix: install latest openssl to fix TravisCI [Tests] blacklist expired LetsEncrypt CA Oct 6, 2021
@ljharb
Copy link
Member

ljharb commented Oct 6, 2021

Going to go ahead and land just your fix, and we can iterate on travis' suggestion later. Thanks!

@ljharb ljharb added the hacktoberfest-accepted If you're interested in a free shirt, this PR counts towards it. label Oct 6, 2021
@ljharb ljharb changed the base branch from npm8 to master October 6, 2021 16:32
@ljharb ljharb merged commit 2bda9fd into nvm-sh:master Oct 6, 2021
@ljharb ljharb changed the title [Tests] blacklist expired LetsEncrypt CA [Tests] exclude expired LetsEncrypt CA Oct 6, 2021
@ljharb ljharb mentioned this pull request Oct 6, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ljharb ljharb ljharb approved these changes

Assignees
No one assigned
Labels
hacktoberfest-accepted If you're interested in a free shirt, this PR counts towards it. testing Stuff related to testing nvm itself.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rickbutton @ljharb