SSL Error for GitHub HTTPS

Question

SSL Error for GitHub HTTPS

Closed this issue 6 months ago · 6 comments

https://github.com/metanorma/mn-samples-iso/actions/runs/8827676491/job/24236088982?pr=104

Somehow the SSL certificate failed to validate. Perhaps this is because of the Tebako SSL certificate store?

/__tebako_memfs__/lib/ruby/gems/3.1.0/gems/fontist-1.20.0/lib/fontist/font_installer.rb:95:in `download_file': Invalid URL: https://github.com/fontist/source-fonts/releases/download/v1.0/source-fonts-1.0.zip. Error: #<Down::SSLError: SSL_connect SYSCALL returned=5 errno=0 peeraddr=140.82.116.3:443 state=error: certificate verify failed>. (Fontist::Errors::InvalidResourceError)
	from /__tebako_memfs__/lib/ruby/gems/3.1.0/gems/fontist-1.20.0/lib/fontist/font_installer.rb:68:in `extract'
	from /__tebako_memfs__/lib/ruby/gems/3.1.0/gems/fontist-1.20.0/lib/fontist/font_installer.rb:51:in `block in install_font'
	from /__tebako_memfs__/lib/ruby/gems/3.1.0/gems/fontist-1.20.0/lib/fontist/font_installer.rb:59:in `block in run_in_temp_dir'
	from /__tebako_memfs__/lib/ruby/3.1.0/tmpdir.rb:96:in `mktmpdir'

This link redirects to another location:

$ curl -v -L https://github.com/fontist/source-fonts/releases/download/v1.0/source-fonts-1.0.zip
*   Trying 20.205.243.166:443...
* Connected to github.com (20.205.243.166) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=github.com
*  start date: Mar  7 00:00:00 2024 GMT
*  expire date: Mar  7 23:59:59 2025 GMT
*  subjectAltName: host "github.com" matched cert's "github.com"
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo ECC Domain Validation Secure Server CA
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://github.com/fontist/source-fonts/releases/download/v1.0/source-fonts-1.0.zip
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: github.com]
* [HTTP/2] [1] [:path: /fontist/source-fonts/releases/download/v1.0/source-fonts-1.0.zip]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET /fontist/source-fonts/releases/download/v1.0/source-fonts-1.0.zip HTTP/2
> Host: github.com
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 302 
< server: GitHub.com
< date: Thu, 25 Apr 2024 07:05:16 GMT
< content-type: text/html; charset=utf-8
< vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
< location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/249704050/7feb3400-6dcf-11ea-92bf-d3849a1555d2?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240425T070516Z&X-Amz-Expires=300&X-Amz-Signature=52c4ef3cbe492079e79826320ba35c15a50c9fa661b7cfd1b4e1db349744803d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=249704050&response-content-disposition=attachment%3B%20filename%3Dsource-fonts-1.0.zip&response-content-type=application%2Foctet-stream
< cache-control: no-cache
< strict-transport-security: max-age=31536000; includeSubdomains; preload
< x-frame-options: deny
< x-content-type-options: nosniff
< x-xss-protection: 0
< referrer-policy: no-referrer-when-downgrade
< content-security-policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.com raw.githubusercontent.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com api.githubcopilot.com objects-origin.githubusercontent.com *.actions.githubusercontent.com wss://*.actions.githubusercontent.com productionresultssa0.blob.core.windows.net/ productionresultssa1.blob.core.windows.net/ productionresultssa2.blob.core.windows.net/ productionresultssa3.blob.core.windows.net/ productionresultssa4.blob.core.windows.net/ productionresultssa5.blob.core.windows.net/ productionresultssa6.blob.core.windows.net/ productionresultssa7.blob.core.windows.net/ productionresultssa8.blob.core.windows.net/ productionresultssa9.blob.core.windows.net/ productionresultssa10.blob.core.windows.net/ productionresultssa11.blob.core.windows.net/ productionresultssa12.blob.core.windows.net/ productionresultssa13.blob.core.windows.net/ productionresultssa14.blob.core.windows.net/ productionresultssa15.blob.core.windows.net/ productionresultssa16.blob.core.windows.net/ productionresultssa17.blob.core.windows.net/ productionresultssa18.blob.core.windows.net/ productionresultssa19.blob.core.windows.net/ github-production-repository-image-32fea6.s3.amazonaws.com github-production-release-asset-2e65be.s3.amazonaws.com insights.github.com wss://alive.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com copilot-workspace.githubnext.com objects-origin.githubusercontent.com; frame-ancestors 'none'; frame-src viewscreen.githubusercontent.com notebooks.githubusercontent.com; img-src 'self' data: github.githubassets.com media.githubusercontent.com camo.githubusercontent.com identicons.github.com avatars.githubusercontent.com github-cloud.s3.amazonaws.com objects.githubusercontent.com secured-user-images.githubusercontent.com/ user-images.githubusercontent.com/ private-user-images.githubusercontent.com opengraph.githubassets.com github-production-user-asset-6210df.s3.amazonaws.com customer-stories-feed.github.com spotlights-feed.github.com objects-origin.githubusercontent.com *.githubusercontent.com; manifest-src 'self'; media-src github.com user-images.githubusercontent.com/ secured-user-images.githubusercontent.com/ private-user-images.githubusercontent.com github-production-user-asset-6210df.s3.amazonaws.com gist.github.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; upgrade-insecure-requests; worker-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/
< content-length: 0
< x-github-request-id: F329:267975:777AC9:82B7A2:662A00C2
< 
* Connection #0 to host github.com left intact
* Issue another request to this URL: 'https://objects.githubusercontent.com/github-production-release-asset-2e65be/249704050/7feb3400-6dcf-11ea-92bf-d3849a1555d2?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240425T070516Z&X-Amz-Expires=300&X-Amz-Signature=52c4ef3cbe492079e79826320ba35c15a50c9fa661b7cfd1b4e1db349744803d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=249704050&response-content-disposition=attachment%3B%20filename%3Dsource-fonts-1.0.zip&response-content-type=application%2Foctet-stream'
*   Trying 185.199.109.133:443...
* Connected to objects.githubusercontent.com (185.199.109.133) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=*.github.io
*  start date: Mar 15 00:00:00 2024 GMT
*  expire date: Mar 14 23:59:59 2025 GMT
*  subjectAltName: host "objects.githubusercontent.com" matched cert's "*.githubusercontent.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://objects.githubusercontent.com/github-production-release-asset-2e65be/249704050/7feb3400-6dcf-11ea-92bf-d3849a1555d2?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240425T070516Z&X-Amz-Expires=300&X-Amz-Signature=52c4ef3cbe492079e79826320ba35c15a50c9fa661b7cfd1b4e1db349744803d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=249704050&response-content-disposition=attachment%3B%20filename%3Dsource-fonts-1.0.zip&response-content-type=application%2Foctet-stream
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: objects.githubusercontent.com]
* [HTTP/2] [1] [:path: /github-production-release-asset-2e65be/249704050/7feb3400-6dcf-11ea-92bf-d3849a1555d2?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240425T070516Z&X-Amz-Expires=300&X-Amz-Signature=52c4ef3cbe492079e79826320ba35c15a50c9fa661b7cfd1b4e1db349744803d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=249704050&response-content-disposition=attachment%3B%20filename%3Dsource-fonts-1.0.zip&response-content-type=application%2Foctet-stream]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET /github-production-release-asset-2e65be/249704050/7feb3400-6dcf-11ea-92bf-d3849a1555d2?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240425%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240425T070516Z&X-Amz-Expires=300&X-Amz-Signature=52c4ef3cbe492079e79826320ba35c15a50c9fa661b7cfd1b4e1db349744803d&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=249704050&response-content-disposition=attachment%3B%20filename%3Dsource-fonts-1.0.zip&response-content-type=application%2Foctet-stream HTTP/2
> Host: objects.githubusercontent.com
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 200 
< content-type: application/octet-stream
< last-modified: Tue, 07 Dec 2021 11:56:05 GMT
< etag: "0x8D9B9788C44DB45"
< server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
< x-ms-request-id: 736634b9-001e-0048-4d37-91fc62000000
< x-ms-version: 2020-10-02
< x-ms-creation-time: Tue, 17 Aug 2021 10:14:31 GMT
< x-ms-lease-status: unlocked
< x-ms-lease-state: available
< x-ms-blob-type: BlockBlob
< content-disposition: attachment; filename=source-fonts-1.0.zip
< x-ms-server-encrypted: true
< via: 1.1 varnish, 1.1 varnish
< accept-ranges: bytes
< age: 111
< date: Thu, 25 Apr 2024 07:05:38 GMT
< x-served-by: cache-iad-kcgs7200065-IAD, cache-nrt-rjtf7700023-NRT
< x-cache: HIT, HIT
< x-cache-hits: 986, 0
< x-timer: S1714028739.770149,VS0,VE162
< content-length: 101440249
< 
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.
* Failure writing output to destination
* Connection #1 to host objects.githubusercontent.com left intact

Answer 1 · 2024-04-26T07:45:38.000Z

This issue is now affecting all Metanorma builds.

https://github.com/metanorma/mn-samples-iso/actions/runs/8828785719/job/24238434563

Answer 2 · 2024-04-26T08:32:03.000Z

@ronaldtse
You are running that workflow on macos-latest which changed from macos-12 amd64 to macos-14 arm64
There may be some subtle difference that is cusing the fault. It may be SSL related or you mentioned ot Ruby related since Ruby build configuration is very volatile depending on os version and CPU.

Answer 3 · 2024-04-26T08:33:51.000Z

Thanks @maxirmx - these workflows are just on GHA so I wonder if the change has to do with Tebako's SSL configuration.

Answer 4 · 2024-04-27T20:15:55.000Z

I'm researching what can be done on the fontist/Ruby side. Meanwhile this Ruby script can be used to test SSL configuration on any machine:

#!/usr/bin/env ruby

require "net/http"

uri = URI('https://github.com/fontist/source-fonts/releases/download/v1.0/source-fonts-1.0.zip')

http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.set_debug_output($stdout)

# http.ca_file = "/etc/ssl/cert.pem"
# http.ca_file = "/etc/ssl/cert-nonexistent.pem"

http.start do |h|
  request = Net::HTTP::Head.new(uri)
  response = h.request(request)

  puts "RESPONSE:"
  puts response
end

Answer 5 · 2024-04-27T22:16:56.000Z

Well, I believe I have explained the issue above
You are running this https://github.com/metanorma/mn-samples-
macos-latest has recently changed from macos-12 amd64 to macos-14 arm64

There is no magic in the issue you experience. Running amd64 tebako package on arm64 is not supported

You have several options (not mutually exclusive)

use macos-13 (since macos-13 is the latest amd64 configuration on GHA and it works) metanorma/mn-samples-iso#108
use arm64 tebako package. I used to build it on Cirrus CI you can somehow upload it to GHA
test/fix an option to run amd64 tebako package on arm64 I am afraid it is not possible to fix it ad hoc, it is a complex task.

Answer 6 · 2024-05-15T09:45:15.000Z

This issue was related to SSL certificate store
When tabako package is build on MacOS x86_64 and run on MacOS arm64 it looks for ssl certificates at wrong location.
THis hall be fixed by embedded certificate store #149