Unable to access Phabricator via arcanist

I’m having issues using arcanist to access Phabricator this morning. I tried commands from two different machines that worked yesterday, and I’m getting certificate issues:

(from a windows machine, worked yesterday)

$ arc diff

Exception

[cURL/60] (https://reviews.llvm.org/api/user.whoami) <CURLE_SSL_CACERT> There was an error verifying the SSL connection. This usually indicates that the remote host has an SSL certificate for a different domain name than you are connecting with. Make sure the certificate you have installed is signed for the correct domain.

(Run with --trace for a full exception trace.)

(from a linux machine, worked recently)

$ arc patch D110747

Exception

[cURL/60] (https://reviews.llvm.org/api/differential.querydiffs) <CURLE_SSL_CACERT> There was an error verifying the SSL Certificate Authority while negotiating the SSL connection. This usually indicates that you are using a self-signed certificate but have not added your CA to the CA bundle. See instructions in “libphutil/resources/ssl/README”.

(Run with --trace for a full exception trace.)

Is anybody else seeing this? If it’s an issue on my side, has anybody else seen this issue before and knows what I need to do to fix it?

Thanks,

Chris Tetreault

On this machine, does it work when you use a browser?

What about curl on the command line?
Try: curl https://reviews.llvm.org/

If curl reproduces the issue, there are many tracing/debug options for curl.

Also I don't know if you tried the --trace option that arc suggests
and if it gave more info?

On both machines, I can go directly to the page. On the windows machine, curl retrieves the page. On the linux machine, I get a similar error:

curl https://reviews.llvm.org
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

If the problem is purely on my end, I suppose I can take it from here. Thanks for the help!

Thanks,
   Chris Tetreault

A coworker was running into similar issues internally, and it appeared to be related to https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/. He had to update custom.pem inside arcanist/resources/ssl (he copied it over from an internal certificate bundle) ... the README in that directory has more information.

It looks like somebody also already opened a PR in phacility/arcanist regarding this issue:
https://github.com/phacility/arcanist/pull/259/commits/e3659d43d8911e91739f3b0c5935598bceb859aa

Makes sense. Hopefully upstream arcanist gets this sorted in the next day or two and some official patch or git pull from main will sort it out. I prefer not to go fiddling with ssh configs if possible. In the meantime, I have other fires to put out. :blush: Thanks for doing the legwork and reporting your findings!

Thanks,

Chris Tetreault

FYI it is also tracked by Phorge (the community fork of Phabricator
after the company stopped active development):
https://we.phorge.it/T15051
Seems like on Ubuntu at least they report that "updating the
ca-certificates package resolves the issue".

It looks like somebody also already opened a PR in phacility/arcanist regarding this issue:
https://github.com/phacility/arcanist/pull/259/commits/e3659d43d8911e91739f3b0c5935598bceb859aa

Hi,

I have submitted a patch for the GettingStarted docs to explain how
to apply this fix: https://reviews.llvm.org/D110976

-Tom