At least at some point travis refused to clone git:// (over ssh) urls; but https:// works fine. As ghcs’ submodules are relative it /should just work/ - Oleg Sent from my iPhone

On 9 Mar 2019, at 8.22, Ben Gamari wrote:

Shayne Fletcher via ghc-devs writes:

...

I appreciate this isn't really "our" problem :) Nonetheless, if there's any config we can do on the repo on gitlab, that would be cool. Other URLs (like github) for example are fine - something specific to gitlab.

I feel like I'm missing something here. I recall you mentioned this in your previous message but there I'm still lacking crucial context. Can you offer any additional details? How exactly does it fail?

In principle there is no reason why cloning from gitlab.haskell.org from Travis shouldn't work. I'd be happy to fix the issue if there is one but without knowing more I'm pretty powerless to change the situation.

Cheers,

- Ben

_______________________________________________ ghc-devs mailing list ghc-devs@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

I can reproduce that problem on Ubuntu 14.04 which Travis uses now by default. It's "fixed" in Ubuntu 16.04. Use     dist: xenial and your travis build should proceed. --- Ubuntu 14.04 root@6f98cdde6521:/# git clone https://gitlab.haskell.org/ghc/ci-images.git Cloning into 'ci-images'... fatal: unable to access 'https://gitlab.haskell.org/ghc/ci-images.git/': gnutls_handshake() failed: Handshake failed Ubuntu 16.04 root@a66b1076e2f8:/#  git clone https://gitlab.haskell.org/ghc/ci-images.git Cloning into 'ci-images'... remote: Enumerating objects: 110, done. remote: Counting objects: 100% (110/110), done. remote: Compressing objects: 100% (53/53), done. remote: Total 110 (delta 49), reused 81 (delta 36) Receiving objects: 100% (110/110), 17.14 KiB | 0 bytes/s, done. Resolving deltas: 100% (49/49), done. Checking connectivity... done. --- - Oleg On 9.3.2019 14.15, Shayne Fletcher wrote:

On Sat, Mar 9, 2019 at 1:23 AM Ben Gamari mailto:ben@well-typed.com> wrote:

Shayne Fletcher via ghc-devs mailto:ghc-devs@haskell.org> writes:

[...] 

I feel like I'm missing something here. I recall you mentioned this in your previous message but there I'm still lacking crucial context. Can you offer any additional details? How exactly does it fail?

git clone https://gitlab.haskell.org/ghc/ghc.git fails on Travis Linux Ubuntu VMs with "fatal: unable to access 'https://gitlab.haskell.org/ghc/ghc.git/': gnutls_handshake() failed: Handshake failed.

In principle there is no reason why cloning from gitlab.haskell.org http://gitlab.haskell.org from Travis shouldn't work. I'd be happy to fix the issue if there is one but without knowing more I'm pretty powerless to change the situation.

The issue as I understand relates to gitlab's use of the "Let's Encrypt" certificate authority. Apparently this is a relatively new authority and is unrecognized by the SSL software on the Ubuntu VM that Travis provides. I don't know of any workarounds at this time that can be applied in the VM that to overcome this problem. I also don't know if anything can be done on the gitlab side to mitigate it but suspect not. I do have a procedure that allows me to side-step the problem for my own case and can share that with anyone that needs it.

Cheers,

- Ben

This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.digitalasset.com/emaildisclaimer.html http://www.digitalasset.com/emaildisclaimer.html. If you are not the intended recipient, please delete this message.

I just encountered this when doing a "git pull" on my Ubuntu 18.04.1 machine:

fatal: unable to access 'https://gitlab.haskell.org/ghc/ghc/': server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

Chrome also believes that the certificate of https://gitlab.haskell.org/ghc/ghc is invalid and I have to click the "Proceed to ... (unsafe)" link. Chrome's certificate viewer shows that the certificate is for "gitlab.staging.haskell.org" whereas the domain is "gitlab.haskell.org", so I'm guessing that's the problem. I'm not very experienced with such cert stuff, but perhaps a wildcard cert like "*.haskell.org" could allow using the same cert regardless of whether it's on staging vs prod. For now I've just done "git config --global http.sslverify false" temporarily to do the pull. Perhaps this is Shayne Fletcher's cheeky workaround? :) -Michael On Fri, Mar 8, 2019 at 10:23 PM Ben Gamari wrote:

Shayne Fletcher via ghc-devs writes:

...

I appreciate this isn't really "our" problem :) Nonetheless, if there's any config we can do on the repo on gitlab, that would be cool. Other URLs (like github) for example are fine - something specific to gitlab.

I feel like I'm missing something here. I recall you mentioned this in your previous message but there I'm still lacking crucial context. Can you offer any additional details? How exactly does it fail?

In principle there is no reason why cloning from gitlab.haskell.org from Travis shouldn't work. I'd be happy to fix the issue if there is one but without knowing more I'm pretty powerless to change the situation.

Cheers,

- Ben

_______________________________________________ ghc-devs mailing list ghc-devs@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

I think the public name is pointed to the staging site because the main one is down for the trac to github migration. On Sat, Mar 9, 2019 at 8:59 PM Michael Sloan wrote:

Whoah, I can't get https://ghc.haskell.org/ to load at all - it's also trying to use the gitlab.staging.haskell.org cert. I can't get chrome to ignore the cert error because it's using HSTS - HTTP Strict Transport Security.

On Sat, Mar 9, 2019 at 5:53 PM Michael Sloan wrote:

...

I just encountered this when doing a "git pull" on my Ubuntu 18.04.1

machine:

...

...

fatal: unable to access 'https://gitlab.haskell.org/ghc/ghc/': server

certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none

...

Chrome also believes that the certificate of https://gitlab.haskell.org/ghc/ghc is invalid and I have to click the "Proceed to ... (unsafe)" link. Chrome's certificate viewer shows that the certificate is for "gitlab.staging.haskell.org" whereas the domain is "gitlab.haskell.org", so I'm guessing that's the problem. I'm not very experienced with such cert stuff, but perhaps a wildcard cert like "*.haskell.org" could allow using the same cert regardless of whether it's on staging vs prod.

For now I've just done "git config --global http.sslverify false" temporarily to do the pull. Perhaps this is Shayne Fletcher's cheeky workaround? :)

-Michael

On Fri, Mar 8, 2019 at 10:23 PM Ben Gamari wrote:

...

Shayne Fletcher via ghc-devs writes:

...

I appreciate this isn't really "our" problem :) Nonetheless, if

there's any

...

...

...

config we can do on the repo on gitlab, that would be cool. Other URLs (like github) for example are fine - something specific to gitlab.

I feel like I'm missing something here. I recall you mentioned this in your previous message but there I'm still lacking crucial context. Can you offer any additional details? How exactly does it fail?

In principle there is no reason why cloning from gitlab.haskell.org from Travis shouldn't work. I'd be happy to fix the issue if there is one but without knowing more I'm pretty powerless to change the situation.

Cheers,

- Ben

_______________________________________________ ghc-devs mailing list ghc-devs@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

---

ghc-devs mailing list ghc-devs@haskell.org http://mail.haskell.org/cgi-bin/mailman/listinfo/ghc-devs

-- brandon s allbery kf8nh allbery.b@gmail.com

On Sat, Mar 9, 2019 at 9:09 PM Michael Sloan wrote:

Ah, probably so, thanks!

On Sat, Mar 9, 2019 at 6:05 PM Brandon Allbery wrote:

...

I think the public name is pointed to the staging site because the main

one is down for the trac to github migration.

That's exactly it - been down Sat. I guess it will take as long as it takes!

...

...

...

...

For now I've just done "git config --global http.sslverify false"

...

...

temporarily to do the pull. Perhaps this is Shayne Fletcher's cheeky

...

workaround? :)

No, that ain't it :) -- This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at  http://www.digitalasset.com/emaildisclaimer.html http://www.digitalasset.com/emaildisclaimer.html. If you are not the intended recipient, please delete this message.