| Summary: | CI deployment to oss.sonatype.org fails with SSL errors | ||
|---|---|---|---|
| Product: | z_Archived | Reporter: | Jan Sievers <jan.sievers> |
| Component: | Tycho | Assignee: | Project Inbox <tycho-inbox> |
| Status: | CLOSED NOT_ECLIPSE | QA Contact: | |
| Severity: | normal | ||
| Priority: | P3 | CC: | eclipse, igor, t-oberlies |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
|
Description
Jan Sievers
https://git.eclipse.org/r/#/c/26863/ pinning the wagon version did the trick I think http://ci.tesla.io:8080/view/Tycho/job/tycho/219/console equivalent fix for tycho-extras: http://git.eclipse.org/c/tycho/org.eclipse.tycho.extras.git/commit/?id=fe7aa23458b3e82d8e44ec99bd1d2b799115e20d still seeing occasional deployment failures after the fix attempt http://ci.tesla.io:8080/view/Tycho/job/tycho/220/consoleText it seems random for which artifact the upload will fail... [WARNING] Failed to upload MD5 checksum for /data/hudson-work/jobs/tycho/workspace/tycho-bundles/org.eclipse.tycho.p2.tools.shared/target/org.eclipse.tycho.p2.tools.shared-0.21.0-SNAPSHOT.jar: peer not authenticated org.apache.maven.wagon.TransferFailedException: peer not authenticated at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.put(AbstractHttpClientWagon.java:580) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.put(AbstractHttpClientWagon.java:524) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.put(AbstractHttpClientWagon.java:505) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.putFromStream(AbstractHttpClientWagon.java:499) at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$PutTask.uploadChecksum(WagonRepositoryConnector.java:886) at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$PutTask.uploadChecksums(WagonRepositoryConnector.java:861) at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$PutTask.run(WagonRepositoryConnector.java:818) at org.sonatype.aether.connector.wagon.WagonRepositoryConnector.put(WagonRepositoryConnector.java:467) at org.sonatype.aether.impl.internal.DefaultDeployer.deploy(DefaultDeployer.java:274) at org.sonatype.aether.impl.internal.DefaultDeployer.deploy(DefaultDeployer.java:211) at org.sonatype.aether.impl.internal.DefaultRepositorySystem.deploy(DefaultRepositorySystem.java:443) at org.apache.maven.artifact.deployer.DefaultArtifactDeployer.deploy(DefaultArtifactDeployer.java:137) at org.apache.maven.plugin.deploy.DeployMojo.execute(DeployMojo.java:156) at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:101) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:209) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153) at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:84) at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:59) at org.apache.maven.lifecycle.internal.LifecycleStarter.singleThreadedBuild(LifecycleStarter.java:183) at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:161) at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:320) at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:156) at org.apache.maven.cli.MavenCli.execute(MavenCli.java:537) at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:196) at org.apache.maven.cli.MavenCli.main(MavenCli.java:141) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:601) at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:290) at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:230) at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:409) at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:352) Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) at org.apache.maven.wagon.providers.http.httpclient.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126) at org.apache.maven.wagon.providers.http.httpclient.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) at org.apache.maven.wagon.shared.http4.ConfigurableSSLSocketFactoryDecorator.connectSocket(ConfigurableSSLSocketFactoryDecorator.java:64) at org.apache.maven.wagon.providers.http.httpclient.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.maven.wagon.providers.http.httpclient.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) at org.apache.maven.wagon.providers.http.httpclient.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645) at org.apache.maven.wagon.providers.http.httpclient.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480) at org.apache.maven.wagon.providers.http.httpclient.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at org.apache.maven.wagon.providers.http.httpclient.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.execute(AbstractHttpClientWagon.java:746) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.put(AbstractHttpClientWagon.java:574) ... 33 more Caused by: org.sonatype.aether.transfer.ArtifactTransferException: Could not transfer artifact org.eclipse.tycho:tycho-embedder-api:jar:sources:0.21.0-20140520.083953-32 from/to sonatype-nexus-snapshots (https://oss.sonatype.org/content/repositories/snapshots): peer not authenticated at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$4.wrap(WagonRepositoryConnector.java:951) at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$4.wrap(WagonRepositoryConnector.java:941) at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$PutTask.run(WagonRepositoryConnector.java:837) at org.sonatype.aether.connector.wagon.WagonRepositoryConnector.put(WagonRepositoryConnector.java:467) at org.sonatype.aether.impl.internal.DefaultDeployer.deploy(DefaultDeployer.java:274) ... 26 more Caused by: org.apache.maven.wagon.TransferFailedException: peer not authenticated at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.put(AbstractHttpClientWagon.java:580) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.put(AbstractHttpClientWagon.java:524) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.put(AbstractHttpClientWagon.java:505) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.put(AbstractHttpClientWagon.java:485) at org.sonatype.aether.connector.wagon.WagonRepositoryConnector$PutTask.run(WagonRepositoryConnector.java:811) ... 28 more Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:397) at org.apache.maven.wagon.providers.http.httpclient.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:126) at org.apache.maven.wagon.providers.http.httpclient.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:572) at org.apache.maven.wagon.shared.http4.ConfigurableSSLSocketFactoryDecorator.connectSocket(ConfigurableSSLSocketFactoryDecorator.java:64) at org.apache.maven.wagon.providers.http.httpclient.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:180) at org.apache.maven.wagon.providers.http.httpclient.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:294) at org.apache.maven.wagon.providers.http.httpclient.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:645) at org.apache.maven.wagon.providers.http.httpclient.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:480) at org.apache.maven.wagon.providers.http.httpclient.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:906) at org.apache.maven.wagon.providers.http.httpclient.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:805) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.execute(AbstractHttpClientWagon.java:746) at org.apache.maven.wagon.shared.http4.AbstractHttpClientWagon.put(AbstractHttpClientWagon.java:574) ... 32 more it seems it's stabilized now (5 successful builds in a row) http://ci.tesla.io:8080/job/tycho/ keeping open for some time just in case. As a side note and may not be related, but the JDK on that machine seems a little oudated: Java version: 1.7.0_10, vendor: Oracle Corporation Java home: /data/jdks/jdk1.7.0_10/jre current patch level for JDK 7 is 55 seems OK now we get intermittent SSL errors again http://ci.tesla.io:8080/view/Tycho/job/tycho/250/console *** Bug 438391 has been marked as a duplicate of this bug. *** workaround is to use https://repo.eclipse.org/content/repositories/tycho-snapshots instead. Is that a temporary measure only? Or could I always use that repo when using Tycho snapshots from now on? (In reply to Rafael Chaves from comment #10) > Is that a temporary measure only? Or could I always use that repo when using > Tycho snapshots from now on? we have the repo.eclipse.org URL in place as a fallback solution. the canonical oss.sonatype.org repo is widely established and advertised so I don't want to promote repo.eclipse.org as default URL unless we have serious problems with oss.sonatype.org that can't be sorted out. (In reply to Jan Sievers from comment #7) > we get intermittent SSL errors again > http://ci.tesla.io:8080/view/Tycho/job/tycho/250/console I was able to deploy the current master branch from my local machine. since the issue seems intermittent, that may not mean much though. At least we have a non-corrupted state deployed for now. tracked here: https://issues.sonatype.org/browse/OSSRH-10466 I've had a closer look at this and I quite certain Tycho build is NOT using the advised version of wagon. Here is proposed fix https://git.eclipse.org/r/#/c/29160/. SSL exceptions go away for me locally after I applied this change, so if we want build with older versions of Maven, this is what we need to do to stay compatible with current security best practices (I do believe Sonatype changes to SSL config are proper). On the other hand, I think we should just move to newer version of Maven. If we need to test Tycho compatibility with specific version(s) of Maven, this should be configured in Tycho build and should not depend on the version of Maven used to run Tycho build. I've changed http://ci.takari.io:8080/view/Tycho/job/tycho/ to use Maven 3.2.2 to get snapshots deploy working again for now, but feel free to change it back to 3.0.5 if you disagree. (In reply to Igor Fedorenko from comment #14) > I've changed > http://ci.takari.io:8080/view/Tycho/job/tycho/ to use Maven 3.2.2 to get > snapshots deploy working again for now, but feel free to change it back to > 3.0.5 if you disagree. Using the latest maven version to build Tycho is fine from my point of view. We still use maven 3.0 to run ITs. (In reply to Jan Sievers from comment #15) > (In reply to Igor Fedorenko from comment #14) > > I've changed > > http://ci.takari.io:8080/view/Tycho/job/tycho/ to use Maven 3.2.2 to get > > snapshots deploy working again for now, but feel free to change it back to > > 3.0.5 if you disagree. > > Using the latest maven version to build Tycho is fine from my point of view. > We still use maven 3.0 to run ITs. In this case I suggest to revert http://git.eclipse.org/c/tycho/org.eclipse.tycho.git/commit/?id=7ff2c63ae5b1dbc999f7c36b43c269667d08f5bf http://git.eclipse.org/c/tycho/org.eclipse.tycho.extras.git/commit/?id=fe7aa23458b3e82d8e44ec99bd1d2b799115e20d These commits don't do anything to help with SSL exceptions. Please note that maven 3.0.5 appears to be affected by this problem too http://ci.takari.io:8080/job/tycho/256/console , so I've changed both tycho and tycho-extras to use maven 3.2.2. I am puzzled why this problem didn't affect tycho-extras build, but I think we should be good now, at least for the time being. This is only needed for deployment, right? So we don't need to update the minimal version for building Tycho [1]? [1] https://wiki.eclipse.org/Developing_Tycho (In reply to Tobias Oberlies from comment #17) > This is only needed for deployment, right? So we don't need to update the > minimal version for building Tycho [1]? > > [1] https://wiki.eclipse.org/Developing_Tycho yes it's an implementation detail of our SNAPSHOT deployment job to oss.sonatype.org (as far as I get it because of particular restricted SSL cipher requirements from oss.sonatype.org), so no need to require a higher minimum maven version in general from my PoV. I reverted http://git.eclipse.org/c/tycho/org.eclipse.tycho.git/commit/?id=a85a11cea9058fb9f562ec61a4d7c1e5bf01fa05 and http://git.eclipse.org/c/tycho/org.eclipse.tycho.extras.git/commit/?id=cd60cf915f3d4e907aea94cc80133b8f724a3511 now. I'd like to keep this issue open at least for another 2 weeks to see if it's gone because it was off and on for several weeks now and the correlation with the various fix attempts has not been very clear. looks like we are back to square one :( http://ci.takari.io:8080/job/tycho/262/consoleText announced switch to repo.eclipse.org https://dev.eclipse.org/mhonarc/lists/tycho-user/msg05785.html (In reply to Jan Sievers from comment #20) > announced switch to repo.eclipse.org > > https://dev.eclipse.org/mhonarc/lists/tycho-user/msg05785.html ... to which we also have been deploying without problems for a while now (cf. bug 360628) we switched to repo.eclipse.org for SNAPSHOT builds in the meantime and I have no intention to go back to oss.sonatype.org for snapshots |