[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Christian Heimes added the comment: CI is passing again. -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___ ___

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Change by STINNER Victor : -- nosy: +vstinner ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.py

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Neil Schemenauer added the comment: It seems it is enough to make a new commit. The CI seems to re-base and re-run the PR. At least, it worked on two of my PRs. -- ___ Python tracker _

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Gregory P. Smith added the comment: we may not need that: Closing and reopening the PR worked. I suspect the github CI "rerun" button was "rerun in the exact same config". -- ___ Python tracker ___

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Gregory P. Smith added the comment: yeah i figured it might require a rebase. if anyone has the appropriate git command to do that to a branch, creating a 2-4 step CLI playbook for people to apply to pending PR branches would be useful. -- ___ Py

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Brandt Bucher added the comment: Closing and reopening may work, or pushing an empty commit. I know that's helped appease some GitHub CI weirdness in the past. -- ___ Python tracker

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Christian Heimes added the comment: Yeah, that's the annoying part. Users have to rebase all their PRs in order to make CI pass. It's going to be painful. :( -- ___ Python tracker __

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Ned Deily added the comment: You may have to refresh the PR so that is uses the latest HEAD that includes the config change. -- ___ Python tracker ___ ___

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Gregory P. Smith added the comment: How do I get a CI run on a PR to actually pickup this change? clicking rerun failed. -- ___ Python tracker ___ __

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Ned Deily added the comment: 3.7 backport is now merged, too. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Brandt Bucher added the comment: @ned.deily, I think the 3.7 backport needs RM approval (or something?): https://github.com/python/cpython/pull/24716 The others branches are fine now... thanks, Christian! -- ___ Python tracker

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Change by Paul Ganssle : -- nosy: +p-ganssle ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.pyt

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Christian Heimes added the comment: Downstream has asked me to file a separate bug for internal error during handshake. The problem is tracked at https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1917625 . -- ___ Python tracker

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Change by Ivan Marton : -- nosy: +martonivan ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.pyt

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Christian Heimes added the comment: I have backported the workaround to 3.7, 3.8, and 3.9. There was some issue with the backport bot and I didn't have time to investigate. PRs are: https://github.com/python/cpython/pull/24716 https://github.com/python/cpython/pull/24717 https://github.com/py

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Christian Heimes added the comment: > It would be advisable for Python3 to start enforcing security level 2, and > prohibit DTLS v1.1 and lower by default too. By configuring openssl library > on the host with setting security level, and/or setting min versions (if > openssl on the host supp

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Christian Heimes added the comment: Dimitri, thanks for your feedback. I'm very well aware of the crypto policy settings and security level settings. The problem is not the fact that Ubuntu sets a higher security level and disables insecure TLS versions. The problem is the way how Ubuntu has

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Dimitri John Ledkov added the comment: BTW. It would be advisable for Python3 to start enforcing security level 2, and prohibit DTLS v1.1 and lower by default too. By configuring openssl library on the host with setting security level, and/or setting min versions (if openssl on the host sup

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Dimitri John Ledkov added the comment: Ubuntu 20.04+ compile OpenSSL with default security level set to 2, and further customized security level 2 to prohibit TLS below v1.2 and DTLS below v1.2. You can export custom openssl configuration that sets security level back to 1, which is compatib

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Christian Heimes added the comment: Thanks for the quick workaround! The problem could be caused by a downstream patch in Ubuntu's OpenSSL version. Vanilla OpenSSL doesn't fail like that. -- ___ Python tracker

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Neil Schemenauer added the comment: I think it may be related to bpo-41561. There is a bug in the Ubuntu tracker as well: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1899878 I agree with the temporary fix to use "ubuntu-18.04" for CI testing. -- nosy: +nascheme

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Change by Brandt Bucher : -- keywords: +patch pull_requests: +23493 stage: -> patch review pull_request: https://github.com/python/cpython/pull/24715 ___ Python tracker ___ __

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Brandt Bucher added the comment: I forgot to mention that I confirmed that the last passing test run used 18.04 (click "set up job" -> "Operating System" to see): https://github.com/python/cpython/runs/2013210763?check_suite_focus=true The next one, which started the current chain of failure

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

Brandt Bucher added the comment: It seems that GitHub recently changed their "ubuntu-latest" image from Ubuntu 18.04 to Ubuntu 20.04. A good temporary workaround would probably be to change this line: https://github.com/python/cpython/blob/727a68b6e592eada5a65935de5c8428ef50e8741/.github/wor

[issue43382] github CI blocked by the Ubuntu CI with an SSL error

New submission from Gregory P. Smith : https://github.com/python/cpython/pull/20442/checks?check_run_id=2018900756 ssl.SSLError: [SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1122) [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certifica