I’m having issues using arcanist to access Phabricator this morning. I tried commands from two different machines that worked yesterday, and I’m getting certificate issues:
(from a windows machine, worked yesterday)
$ arc diff
Exception
[cURL/60] (https://reviews.llvm.org/api/user.whoami) <CURLE_SSL_CACERT> There was an error verifying the SSL connection. This usually indicates that the remote host has an SSL certificate for a different domain name than you are connecting with. Make sure the certificate you have installed is signed for the correct domain.
(Run with --trace for a full exception trace.)
(from a linux machine, worked recently)
$ arc patch D110747
Exception
[cURL/60] (https://reviews.llvm.org/api/differential.querydiffs) <CURLE_SSL_CACERT> There was an error verifying the SSL Certificate Authority while negotiating the SSL connection. This usually indicates that you are using a self-signed certificate but have not added your CA to the CA bundle. See instructions in “libphutil/resources/ssl/README”.
(Run with --trace for a full exception trace.)
Is anybody else seeing this? If it’s an issue on my side, has anybody else seen this issue before and knows what I need to do to fix it?
On both machines, I can go directly to the page. On the windows machine, curl retrieves the page. On the linux machine, I get a similar error:
curl https://reviews.llvm.org
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
If the problem is purely on my end, I suppose I can take it from here. Thanks for the help!
A coworker was running into similar issues internally, and it appeared to be related to https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/. He had to update custom.pem inside arcanist/resources/ssl (he copied it over from an internal certificate bundle) ... the README in that directory has more information.
Makes sense. Hopefully upstream arcanist gets this sorted in the next day or two and some official patch or git pull from main will sort it out. I prefer not to go fiddling with ssh configs if possible. In the meantime, I have other fires to put out. Thanks for doing the legwork and reporting your findings!
FYI it is also tracked by Phorge (the community fork of Phabricator
after the company stopped active development): https://we.phorge.it/T15051
Seems like on Ubuntu at least they report that "updating the
ca-certificates package resolves the issue".
Thanks for doing the legwork and reporting your findings!