llvm dev - Sep 2021 - Unable to access Phabricator via arcanist

It looks like somebody also already opened a PR in phacility/arcanist regarding
this issue:
https://github.com/phacility/arcanist/pull/259/commits/e3659d43d8911e91739f3b0c5935598bceb859aa

From: llvm-dev <llvm-dev-bounces at lists.llvm.org> on behalf of Shoaib
Meenai via llvm-dev <llvm-dev at lists.llvm.org>
Date: Thursday, September 30, 2021 at 11:29 AM
To: Chris Tetreault <ctetreau at quicinc.com>, Mehdi AMINI <joker.eph
at gmail.com>
Cc: llvm-dev at lists.llvm.org <llvm-dev at lists.llvm.org>
Subject: Re: [llvm-dev] Unable to access Phabricator via arcanist
A coworker was running into similar issues internally, and it appeared to be
related to
https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/<https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/>
. He had to update custom.pem inside arcanist/resources/ssl (he copied it over
from an internal certificate bundle) ... the README in that directory has more
information.

On 9/30/21, 10:25 AM, "llvm-dev on behalf of Chris Tetreault via
llvm-dev" <llvm-dev-bounces at lists.llvm.org on behalf of llvm-dev at
lists.llvm.org> wrote:

    On both machines, I can go directly to the page. On the windows machine,
curl retrieves the page. On the linux machine, I get a similar error:

    ```
    curl https://reviews.llvm.org<https://reviews.llvm.org>
    curl: (60) server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt CRLfile: none
    More details here:
http://curl.haxx.se/docs/sslcerts.html<http://curl.haxx.se/docs/sslcerts.html>

    curl performs SSL certificate verification by default, using a
"bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate,
use
     the -k (or --insecure) option.
    ```

    If the problem is purely on my end, I suppose I can take it from here.
Thanks for the help!

    Thanks,
       Chris Tetreault

    -----Original Message-----
    From: Mehdi AMINI <joker.eph at gmail.com>
    Sent: Thursday, September 30, 2021 10:06 AM
    To: Chris Tetreault <ctetreau at quicinc.com>
    Cc: llvm-dev at lists.llvm.org
    Subject: Re: [llvm-dev] Unable to access Phabricator via arcanist

    WARNING: This email originated from outside of Qualcomm. Please be wary of
any links or attachments, and do not enable macros.

    On this machine, does it work when you use a browser?

    What about curl on the command line?
    Try: curl https://reviews.llvm.org/<https://reviews.llvm.org/>

    If curl reproduces the issue, there are many tracing/debug options for curl.

    Also I don't know if you tried the --trace option that arc suggests and
if it gave more info?

    --
    Mehdi


    On Thu, Sep 30, 2021 at 9:40 AM Chris Tetreault via llvm-dev <llvm-dev at
lists.llvm.org> wrote:
    >
    > I’m having issues using arcanist to access Phabricator this morning. I
tried commands from two different machines that worked yesterday, and I’m
getting certificate issues:
    >
    >
    >
    > (from a windows machine, worked yesterday)
    >
    > $ arc diff
    >
    > Exception
    >
    > [cURL/60] (https://reviews.llvm.org/api/user.whoami  )
<CURLE_SSL_CACERT> There was an error verifying the SSL connection. This
usually indicates that the remote host has an SSL certificate for a different
domain name than you are connecting with. Make sure the certificate you have
installed is signed for the correct domain.
    >
    > (Run with `--trace` for a full exception trace.)
    >
    >
    >
    > (from a linux machine, worked recently)
    >
    > $ arc patch D110747
    >
    > Exception
    >
    > [cURL/60] (https://reviews.llvm.org/api/differential.querydiffs  )
<CURLE_SSL_CACERT> There was an error verifying the SSL Certificate
Authority while negotiating the SSL connection. This usually indicates that you
are using a self-signed certificate but have not added your CA to the CA bundle.
See instructions in "libphutil/resources/ssl/README".
    >
    > (Run with `--trace` for a full exception trace.)
    >
    >
    >
    > Is anybody else seeing this? If it’s an issue on my side, has anybody
else seen this issue before and knows what I need to do to fix it?
    >
    >
    >
    > Thanks,
    >
    >    Chris Tetreault
    >
    > _______________________________________________
    > LLVM Developers mailing list
    > llvm-dev at lists.llvm.org
    >
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev<https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev>
    _______________________________________________
    LLVM Developers mailing list
    llvm-dev at lists.llvm.org
   
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev<https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev>

_______________________________________________
LLVM Developers mailing list
llvm-dev at lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev<https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20210930/b2929cbd/attachment.html>

Makes sense. Hopefully upstream arcanist gets this sorted in the next day or two
and some official patch or git pull from main will sort it out. I prefer not to
go fiddling with ssh configs if possible. In the meantime, I have other fires to
put out. 😊 Thanks for doing the legwork and reporting your findings!

Thanks,
   Chris Tetreault

From: Rafael Auler <rafaelauler at fb.com>
Sent: Thursday, September 30, 2021 12:03 PM
To: Shoaib Meenai <smeenai at fb.com>; Chris Tetreault <ctetreau at
quicinc.com>; Mehdi AMINI <joker.eph at gmail.com>
Cc: llvm-dev at lists.llvm.org
Subject: Re: [llvm-dev] Unable to access Phabricator via arcanist


WARNING: This email originated from outside of Qualcomm. Please be wary of any
links or attachments, and do not enable macros.
It looks like somebody also already opened a PR in phacility/arcanist regarding
this issue:
https://github.com/phacility/arcanist/pull/259/commits/e3659d43d8911e91739f3b0c5935598bceb859aa

From: llvm-dev <llvm-dev-bounces at lists.llvm.org<mailto:llvm-dev-bounces
at lists.llvm.org>> on behalf of Shoaib Meenai via llvm-dev <llvm-dev
at lists.llvm.org<mailto:llvm-dev at lists.llvm.org>>
Date: Thursday, September 30, 2021 at 11:29 AM
To: Chris Tetreault <ctetreau at quicinc.com<mailto:ctetreau at
quicinc.com>>, Mehdi AMINI <joker.eph at gmail.com<mailto:joker.eph
at gmail.com>>
Cc: llvm-dev at lists.llvm.org<mailto:llvm-dev at lists.llvm.org>
<llvm-dev at lists.llvm.org<mailto:llvm-dev at lists.llvm.org>>
Subject: Re: [llvm-dev] Unable to access Phabricator via arcanist
A coworker was running into similar issues internally, and it appeared to be
related to https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/ . He
had to update custom.pem inside arcanist/resources/ssl (he copied it over from
an internal certificate bundle) ... the README in that directory has more
information.

On 9/30/21, 10:25 AM, "llvm-dev on behalf of Chris Tetreault via
llvm-dev" <llvm-dev-bounces at lists.llvm.org on behalf of llvm-dev at
lists.llvm.org<mailto:llvm-dev-bounces at
lists.llvm.org%20on%20behalf%20of%20llvm-dev at lists.llvm.org>> wrote:

    On both machines, I can go directly to the page. On the windows machine,
curl retrieves the page. On the linux machine, I get a similar error:

    ```
    curl https://reviews.llvm.org
    curl: (60) server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt CRLfile: none
    More details here: http://curl.haxx.se/docs/sslcerts.html

    curl performs SSL certificate verification by default, using a
"bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate,
use
     the -k (or --insecure) option.
    ```

    If the problem is purely on my end, I suppose I can take it from here.
Thanks for the help!

    Thanks,
       Chris Tetreault

    -----Original Message-----
    From: Mehdi AMINI <joker.eph at gmail.com<mailto:joker.eph at
gmail.com>>
    Sent: Thursday, September 30, 2021 10:06 AM
    To: Chris Tetreault <ctetreau at quicinc.com<mailto:ctetreau at
quicinc.com>>
    Cc: llvm-dev at lists.llvm.org<mailto:llvm-dev at lists.llvm.org>
    Subject: Re: [llvm-dev] Unable to access Phabricator via arcanist

    WARNING: This email originated from outside of Qualcomm. Please be wary of
any links or attachments, and do not enable macros.

    On this machine, does it work when you use a browser?

    What about curl on the command line?
    Try: curl https://reviews.llvm.org/

    If curl reproduces the issue, there are many tracing/debug options for curl.

    Also I don't know if you tried the --trace option that arc suggests and
if it gave more info?

    --
    Mehdi


    On Thu, Sep 30, 2021 at 9:40 AM Chris Tetreault via llvm-dev <llvm-dev at
lists.llvm.org<mailto:llvm-dev at lists.llvm.org>> wrote:
    >
    > I’m having issues using arcanist to access Phabricator this morning. I
tried commands from two different machines that worked yesterday, and I’m
getting certificate issues:
    >
    >
    >
    > (from a windows machine, worked yesterday)
    >
    > $ arc diff
    >
    > Exception
    >
    > [cURL/60] (https://reviews.llvm.org/api/user.whoami )
<CURLE_SSL_CACERT> There was an error verifying the SSL connection. This
usually indicates that the remote host has an SSL certificate for a different
domain name than you are connecting with. Make sure the certificate you have
installed is signed for the correct domain.
    >
    > (Run with `--trace` for a full exception trace.)
    >
    >
    >
    > (from a linux machine, worked recently)
    >
    > $ arc patch D110747
    >
    > Exception
    >
    > [cURL/60] (https://reviews.llvm.org/api/differential.querydiffs )
<CURLE_SSL_CACERT> There was an error verifying the SSL Certificate
Authority while negotiating the SSL connection. This usually indicates that you
are using a self-signed certificate but have not added your CA to the CA bundle.
See instructions in "libphutil/resources/ssl/README".
    >
    > (Run with `--trace` for a full exception trace.)
    >
    >
    >
    > Is anybody else seeing this? If it’s an issue on my side, has anybody
else seen this issue before and knows what I need to do to fix it?
    >
    >
    >
    > Thanks,
    >
    >    Chris Tetreault
    >
    > _______________________________________________
    > LLVM Developers mailing list
    > llvm-dev at lists.llvm.org<mailto:llvm-dev at lists.llvm.org>
    > https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
    _______________________________________________
    LLVM Developers mailing list
    llvm-dev at lists.llvm.org<mailto:llvm-dev at lists.llvm.org>
    https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev

_______________________________________________
LLVM Developers mailing list
llvm-dev at lists.llvm.org<mailto:llvm-dev at lists.llvm.org>
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20210930/f52bc890/attachment.html>