gigalixir / gigalixir-cli

MIT License
52 stars 45 forks source link

Problem with expired cert with brand new project #89

Closed sodapopcan closed 3 years ago

sodapopcan commented 3 years ago

Hello,

I'm not sure where else to ask this. Every time I click "help" in the web console, it takes me to hey.com for some reason (I don't have a hey.com address) and the help link itself has no email in it.

So the problem in a nutshell is that whenever I try and git push gigalixir master I get:

fatal: unable to access 'https://git.gigalixir.com/myappname.git/': SSL certificate problem: certificate has expired

(myappname isn't my actual app name)

When I inspect the certificate it is a: "Kubernetes Ingress Controller Fake Certificate"

According to the guide, a certificate should be generated for me. I'm trying with a custom domain but I've also tried with a standard gigalixir subdomain.

I've tried with different version of Elixir and OTP but the latest is:

# elixir_buildpack.config
elixir_version=1.12.3
erlang_version=24.0

My prod.exs looks like this:

  server: true,
  http: [port: {:system, "PORT"}],
  url: [host: "mydomain.com", port: 443], # Note, I have my actual domain there
  secret_key_base: Map.fetch!(System.get_env(), "SECRET_KEY_BASE"),
  force_ssl: [rewrite_on: [:x_forwarded_proto]],

And I have set both my APP_NAME and SECRET_KEY_BASE with the gigalixir cli tool.

Is it obvious what I'm doing wrong?

I'm hopefully filing this issue will work as rubber ducking otherwise I hope you can help.

Thank you!

sodapopcan commented 3 years ago

Possibly another pertinent piece of info: I'm not using a relational database, just plain Phoenix.

shubie commented 2 years ago

How did you get this to work?

sodapopcan commented 2 years ago

@shubie I ended up contacting suport and Jesse let me know that Let's encrypt recently change their root certificate which caused some problems for a small number of folks.

From Jesse:

Essentially, when your machine connects to git.gigalixir.com, it downloads the SSL certificate and then verifies it. It verifies it based on the CA certificates you have stored on your local machine. It's likely that your local machine has the old let's encrypt certificate and needs to be updated to include the new one.

What you want to do is edit /etc/ssl/certs.pem and delete the offending certificate from there. That's what worked for me, at least. I'm on macos.

Sorry, I should have updated this issue when I closed it.