Travis CI Linux hosts certificate store not up to date

dikhan · June 9, 2022, 9:04am

Hi, I recently ran into an issue when trying to download the Hashicorp Terraform binary from within a Travis CI build job. The error I am getting is the following:

0.06s$ wget https://releases.hashicorp.com/terraform/"$TF_VERSION"/terraform_"$TF_VERSION"_linux_amd64.zip

625--2022-05-26 05:12:59-- https://releases.hashicorp.com/terraform/0.13.6/terraform_0.13.6_linux_amd64.zip

626Resolving releases.hashicorp.com (releases.hashicorp.com)... 151.101.2.133, 151.101.66.133, 151.101.130.133, ...

627Connecting to releases.hashicorp.com (releases.hashicorp.com)|151.101.2.133|:443... connected.

628ERROR: cannot verify releases.hashicorp.com's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’:

629 Issued certificate has expired.

630To connect to releases.hashicorp.com insecurely, use `--no-check-certificate'.

Link to the build job: Travis CI - Test and Deploy with Confidence

After raising the issue with Hashicorp itself (releases.hashicorp.com's certificate expired · Issue #31135 · hashicorp/terraform · GitHub) we came to realize that the issue seems to be sourcing in the truststore used in the Travis Host systems which seems to be using old LE intermediate certs resulting into any attempt to download assets from Hashicorp failing due to the cert stored in the truststore being expired. More info in this comment: releases.hashicorp.com's certificate expired · Issue #31135 · hashicorp/terraform · GitHub

I could add to the wget command the --no-check-certificate flag to get unblocked but that would reduce the security posture which is not desirable. So hoping that the cert store can be updated accordingly to fix the issue.

Any help here would be much appreciated.

Thanks
Dani

mustafaergul · June 9, 2022, 9:31am

Hey,

I have already replied to your support request but would like to mention it here as well. I do recommend using the newer Ubuntu distribution as follows:

github.com/dikhan/terraform-provider-openapi

Update .travis.yml

dikhan:master ← mustafaergul:patch-1

opened 09:23AM - 09 Jun 22 UTC

mustafaergul

+2 -2

Workaround to use newer Ubuntu distros. ## What problem does this Pull Reques…t solve? Please link to the issue number here (issue will be closed when PR is merged): Closes # *If you don't have an issue created, please create the issue first describing the problem and then open the PR* ## Type of change What type of change does your code introduce to the provider? Please put an `x` (w/o heading/trailing white spaces) in the boxes that apply: - [ ] New feature (change that adds new functionality) - [ ] Bug-fix (change that fixes current functionality) - [ ] Tech debt (enhances the current functionality) - [ ] New release (pumps the version) ## Checklist Please put an `x` (w/o heading/trailing white spaces) in the boxes that apply: - [ ] I have read and followed the [CONTRIBUTING](https://github.com/dikhan/terraform-provider-api/blob/master/.github/CONTRIBUTING.md) guidelines - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] I have made sure code compiles correctly and all tests are passing by running `make test-all` - [ ] I have added/updated necessary documentation (if appropriate) - [ ] I have added the following info to the title of the PR (pick the appropriate option for the type of change). This is important because the release notes will include this information. - [ ] Feature Request: PRs related to feature requests should have in the title `[FeatureRequest: Issue #X] <PR Title>` - [ ] Bug Fixes: PRs related to bug fixes should have in the title `[BugFix: Issue #X] <PR Title>` - [ ] Tech Debt: PRs related to technical debt should have in the title `[TechDebt: Issue #X] <PR Title>` - [ ] New Release: PRs related to a new release should have in the title `[NewRelease] vX.Y.Z` ## Checklist for Admins - [ ] Label is populated - [ ] PR is assigned to the corresponding project - [ ] PR has at least 1 reviewer and 1 assignee

Thanks

Mustafa
Travis CI Staff

dikhan · June 9, 2022, 11:43am

Thanks a lot! that did the trick, really appreciate the quick fix and the contribution to the repo!

Topic		Replies	Views
Travis failing to pull from IBM Cloud CLI Tools download site - ssl error Environments bug	5	1223	November 4, 2021
Sonarcloud: build-wrapper-linux-x86-64 not found anymore on Ubuntu Trusty Linux build-env , travis-build	3	2628	May 31, 2020
Build system setup failure due to OS / Curl SSL Certificate Issues D	1	1509	January 10, 2021
SSL: CERTIFICATE_VERIFY_FAILED when trying to download artifact from maven repository Windows	0	1675	November 21, 2018
Travis-ci.org - build cannot clone private Bitbucket repository Atlassian Bitbucket	2	3087	April 13, 2020

Travis CI Linux hosts certificate store not up to date

Related Topics