Invalid certificates (Let's Encrypt related) #8555
Comments
What are the required steps that Read the Docs should follow to do this? |
Do you have an example of a build URL failing with this error? |
https://readthedocs.org/api/v2/build/14898416.txt
I don't know exactly how you manage your VMs but you need to patch the system certificate of your Linux (Ubuntu LTS?) to use the new Let'sEncrypt certificate (most probably Ubuntu release an update for OpenSSL or something like that, I don't use this distro so I don't know exactly) |
|
Thanks for your reply. I found what's required: Now the problems 😞 . To update However, we can easily rebuild our latest one ( |
|
Another workaround would be to execute |
|
I think we should be able to rebuild all the images, not just our beta image. Ubuntu releases are stable enough that I would trust things to work. Package versions do not drift heavily once in an LTS |
That's fine with me 👍 can you ping me once that's done? I don't think a workaround is a good idea, the first option would probably save you some work when others start having that same issue |
Wouldn't that introduce a chicken and egg problem whereby the repo needs to be able to be cloned so that the configuration required to clone the repo can be read? |
tfardet
changed the title
|
I am experiencing the same problem as op described. My code repository is hosted on a GitLab server. If there is something with which I (a noob) could help, please let me know. |
Yes. I may express myself wrong here. We use a default Docker image to run However, even if the |
This is a temporal solution while we decide how to fix the real problem. For now, we are installing a newer version of `ca-certificates` before starting to clone the repository. Reference #8555
|
@humitos can I approve the PR or does it have to be someone from RtD? |
that's a core team decision, but if you have any feedback there, feel free to comment! |
thought so, so no, nothing to change on my side; I think this is the right server-side fix for now |
|
We deployed a quick and temporal fix for now. Please, let us know if you still have issues with the certificates. Thanks! |
|
I can confirm that the hotfix fixed our project build. Thanks a lot everyone! |
This Docker image does not contain any change in the Dockerfile. However, as it re-builds completely new versions of the same packages will be installed. We are forcing this because we've hit issues with the old `ca-certificates` version installed in our current production image. See readthedocs/readthedocs.org#8555 Note that we are currently executing `apt-get install ca-certificates` on each build to upgrade this package and workaround this problem. However, this adds extra time to _all builds_ and we want to avoid that. Also note that this will be still required for `readthedocs/build:latest` image, but we will hopefully use `readthedocs/build:ubuntu-20.04` as default image for the "Clonning" step sooner than later.
Probably due to the fact that the Let's Encrypt root certificate expired on 30 September 2021, trying to pull from many non-Github repositories leads to
server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none.Would it be possible to update the certificates to resolve this?
This is for instance an issue when using submodules that are not hosted on GitHub.
The text was updated successfully, but these errors were encountered: