Page MenuHomeDevCentral
Create Task
Maniphest T1669

Zemke-Rhyne SSH authorized keys method can't fetch keys from DevCentral
Closed, ResolvedPublic
Actions

Description

Conduit call to Passphrase to fetch SSH key doesn't work anymore.

Current code:

public static function getPublicKey ($id) {
    //Calls conduit with a passphrase.query request
    $request = new ConduitPassphraseQueryRequest(
        [$id], true, false
    );
    $reply = $request
             ->query()
             ->getReply();

    //Gets the first property of the response.data object,
    //then the material.publicKey property
    $data = (Array)$reply->response->data;
    $firstDataItem = array_shift($data);

    $key = $firstDataItem->material->publicKey;
    return trim($key);
}

Actual result:

$ ssh ysul
$ sudo su - zr
$ php bin/getpublickeys
from="172.27.26.49,dwellers.nasqueron.drake,dwellers.nasqueron.org",no-port-forwarding,no-x11-forwarding,no-agent-forwarding  Zemke-Rhyne
from="equatower.nasqueron.org",no-port-forwarding,no-x11-forwarding,no-agent-forwarding  Zemke-Rhyne
from="docker-001.nasqueron.org",no-port-forwarding,no-x11-forwarding,no-agent-forwarding  Zemke-Rhyne

Expected: the same file, with the relevant SSH keys.

Passphrase config: Keys can't be fetch only get if Conduit access is allowed. This is the case for the key in K2 (Dwellers) since Nov 20 2014, 00:39. It isn't locked.

Revisions and Commits

rZR Zemke-Rhyne
D2447rZR4310635cd064 Fail if key isn't available

Related Objects

Event Timeline

dereckson created this task.EditedJan 7 2022, 22:27

Apparently, we can't connect anymore to Conduit:

[cURL/60] (https://devcentral.nasqueron.org/api/user.whoami) <CURLE_SSL_CACERT> There was an error verifying the SSL connection. This usually indicates that the remote host has an SSL certificate for a different domain name than you are connecting with. Make sure the certificate you have installed is signed for the correct domain.
(Run with `--trace` for a full exception trace.)
[2022-01-07 22:22:27] ERROR 8192: implode(): Passing glue string after array is deprecated. Swap the parameters at [/opt/phabricator/libphutil/src/utils/utils.php:1706]
arcanist(head=production, ref.master=c471983697b3, ref.production=2f214fff0d9a), phutil(head=f51f1b3f72b50246949d0917239ca84f39ec7a54, ref.master=720c8116845b)
  #0 implode(array, string) called at [<phutil>/src/utils/utils.php:1706]
  #1 phutil_build_http_querystring_from_pairs(array) called at [<phutil>/src/utils/utils.php:1678]
  #2 phutil_build_http_querystring(array) called at [<phutil>/src/future/http/HTTPSFuture.php:656]
  #3 HTTPSFuture::formatRequestDataForCURL() called at [<phutil>/src/future/http/HTTPSFuture.php:280]
  #4 HTTPSFuture::isReady() called at [<phutil>/src/future/Future.php:37]
  #5 Future::resolve(NULL) called at [<phutil>/src/future/FutureProxy.php:34]
  #6 FutureProxy::resolve() called at [<phutil>/src/conduit/ConduitClient.php:64]
  #7 ConduitClient::callMethodSynchronous(string, array) called at [<arcanist>/src/workflow/ArcanistWorkflow.php:332]
  #8 ArcanistWorkflow::authenticateConduit() called at [<arcanist>/scripts/arcanist.php:356]
 Exception
[cURL/60] (https://devcentral.nasqueron.org/api/user.whoami) <CURLE_SSL_CACERT> There was an error verifying the SSL connection. This usually indicates that the remote host has an SSL certificate for a different domain name than you are connecting with. Make sure the certificate you have installed is signed for the correct domain.
(Run with `--trace` for a full exception trace.)
dereckson added a revision: D2447: Fail if key isn't available.Jan 8 2022, 00:33
dereckson added a commit: rZR4310635cd064: Fail if key isn't available.Jan 8 2022, 00:35
dereckson added a comment.EditedJan 8 2022, 00:38

Per previous comment, issue is from libphutil/Arcanist: it uses a certificates bundle, we need to update it.

Yet another consequence of the letsencrypt-R3 issue.

Fixed on Ysul, as it's the Zemke-Rhyne server.

General fix procedure

cd <libphutil or arcanist>/resources/ssl
wget -O default.pem https://curl.se/ca/cacert.pem

Fail loudly

Exceptions in Conduit doesn't seem to create any issue to our client code. D2447 offers to fail loudly if no key has been fetched.

dereckson closed this task as Resolved.Jan 8 2022, 00:39
dereckson claimed this task.
dereckson mentioned this in T1628: ZR destroy key information when conduit doesn't answer.Jan 17 2022, 19:35
Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator