search

niemeyer / gopkg

Source code for the gopkg.in service.
Other
537 stars 85 forks source link

Unknown SSL protocol error in connection to gopkg.in:-9838 #49

Closed monoflash closed 11 months ago

monoflash commented 7 years ago 
$ go get gopkg.in/ini.v1
# cd .; git clone https://gopkg.in/ini.v1 ./src/gopkg.in/ini.v1
Cloning into './src/gopkg.in/ini.v1'...
fatal: unable to access 'https://gopkg.in/ini.v1/': Unknown SSL protocol error in connection to gopkg.in:-9838
package gopkg.in/ini.v1: exit status 128
$ go version
go version go1.7.4 darwin/amd64

I use macOS v10.12.3 (16D17a) This error is constant for several months, but on Linux there are no errors.

merlinran commented 7 years ago

@niemeyer I captured packets and found it may relate to TLS deployment of gopkg.in. See attached pcap file. gopkg.in.pcap.zip

I tried following command sequence:

 ~/.glide/cache/src/https-gopkg.in-redis.v5 ((HEAD detached at 8829ddc)) $ git fetch
fatal: unable to access 'https://gopkg.in/redis.v5/': Unknown SSL protocol error in connection to gopkg.in:-9838
 ~/.glide/cache/src/https-gopkg.in-redis.v5 ((HEAD detached at 8829ddc)) $ curl -L https://gopkg.in/redis.v5 > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  4083    0  4083    0     0   2502      0 --:--:--  0:00:01 --:--:--  2501
 ~/.glide/cache/src/https-gopkg.in-redis.v5 ((HEAD detached at 8829ddc)) $ curl -Lk https://gopkg.in/redis.v5 > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (35) Unknown SSL protocol error in connection to gopkg.in:-9838

With command 1 and 3 (packet 1-11, 49-60, respectively), the SSL handshake aborted by the server with "Internal Error",

image

while command 2 (packet 12-48) continues the handshake.

image

I'm using git 2.11.1 and curl 7.51.0 on macOS 10.12.3. I couldn't find more from the pcap, but maybe there are some useful information in server side logs?

monoflash commented 7 years ago

I realized that they did not believe it for a problem, but in macOS gopkg.in no longer works. I'm downloading repository on linux and gopkg.in no longer use.

niemeyer commented 7 years ago

There's no "they".. it's just me, @monoflash, and I'm happy to have as much help as possible to figure what the actual issue is. The evidence so far pointed in one direction, but we can always find more evidence and actually fix the problem!

@merlinran Thanks a lot for the details. Any chance you might run gopkg locally and try to find out what's actually breaking? Now that it supports Let's Encrypt, it's very easy (effortless really) to get a valid certificate for a domain you own.

merlinran commented 7 years ago

Cool @niemeyer I never thought running it locally can be so easy. I've been using Let's Encrypt a lot, will try to figure out

On Wed, 8 Feb 2017 at 9:40 PM Gustavo Niemeyer notifications@github.com wrote:

There's no "they".. it's just me, @monoflash https://github.com/monoflash, and I'm happy to have as much help as possible to figure what the actual issue is. The evidence so far pointed in one direction, but we can always find more evidence and actually fix the problem!

@merlinran https://github.com/merlinran Thanks a lot for the details. Any chance you might run gopkg locally and try to find out what's actually breaking? Now that it supports Let's Encrypt, it's very easy (effortless really) to get a valid certificate for a domain you own.

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/niemeyer/gopkg/issues/49#issuecomment-278331371, or mute the thread https://github.com/notifications/unsubscribe-auth/ABTmYE1tSFiHPwixUHaBYrrLup9E5kK0ks5racXlgaJpZM4LY6mz .

johnrichter commented 7 years ago

I've been fighting this issue for the past few days and I've boiled it down to git 2.11.1 and what seems to be HTTP 301 redirects.

I have two separate Apple devices running macOS 10.12.3. One had git 2.11.0 and the other 2.11.1. The device with 2.11 worked as expected and I could glide up just fine. When I upgraded it to 2.11.1 I was able to reproduce the issue exactly as I was seeing on the other device.

The git 2.11.1 release notes, specifically #1 and #2 could be causing this issue. The gopkg.in server is a bit behind at git 2.6.5 and my intuition says that we may be able to fix the issue simply by upgrading the version of git running on the server to 2.11.1.

I should note that git config --global http.sslVerify true does not solve the issue as it has for others in the past.

❯ git clone -vv http://gopkg.in/redis.v4
Cloning into 'redis.v4'...
Server supports multi_ack_detailed
Server supports no-done
Server supports side-band-64k
Server supports ofs-delta
Server version is git/2:2.6.5+github-1677-g18b65e2
want c938162545c57136fa59879746bc65d0f1db3d1e (HEAD)
want da44e5f58e6a243b796d53e60e69effb91292572 (refs/heads/feature/new-master)
want a91a4e3638d68f73a326a95c603e3edbd6cc6166 (refs/heads/feature/no-external-deps)
want 3c2e946206abf18b3ae3c9c8e7f628c565e01e29 (refs/heads/fix/cluster-subscribe)
want c938162545c57136fa59879746bc65d0f1db3d1e (refs/heads/master)
want b5e368500d0a508ef8f16e9c2d4025a8a46bcc29 (refs/heads/v3)
want c938162545c57136fa59879746bc65d0f1db3d1e (refs/heads/v4)
want 2fe9c5cc0a8da9faeba3a45511a4ece8f7e37dc2 (refs/heads/v5)
want f983688a00d9935d140b651b4e06db14d5671ab1 (refs/tags/v1)
want a53fda679b48e6ba8cba04fb3a20a5d027d042c2 (refs/tags/v2)
want f01a7e17e477bef273d92639de04301c06b5a0d7 (refs/tags/v2.1)
want 71998dd9cc9e8e3c35d3ddbf18eb185b9a900630 (refs/tags/v2.2)
want b81158be597bec4cebdbe0143bde42bc20e0f561 (refs/tags/v2.3)
want 4c0bebb1f6bee66cf2c6b0cab7e32dfa2a7ec4d8 (refs/tags/v2.3.1)
want 71a841858cf34ae42c357b5d8384836cc355876e (refs/tags/v2.3.2)
want 44a58ef06786c0f383a22ddc363dfa66a88eb784 (refs/tags/v3.0)
want cdfab22180f116c19fe0575451683bc800e4c2d9 (refs/tags/v3.0.1)
want 7b1eeda9c18cf02aca975a91c8bcd5604d59fa61 (refs/tags/v3.0.2)
want b1946ee532efdd01f4651214002abbf7e740bd99 (refs/tags/v3.0.3)
want 7ce4387ff8f4bb39bd0446cd14e8c89bc40d2fcc (refs/tags/v3.1.0)
want a9724894162e809eda1031fbc1bb4f2e154f9f2d (refs/tags/v3.1.1)
want faa7ed46bd55be18d606f9a2542d318fb1a47356 (refs/tags/v3.1.2)
want 651d0b06620784b860d84eb3ecf435985afd25b1 (refs/tags/v3.1.3)
want d36559f9ce085e75cccdb58e9a54e36621bfd4c1 (refs/tags/v3.1.4)
want 2cfe5df7d2593e20161594e4c02ebb305c9ccd8e (refs/tags/v3.1.5)
want 7baacea8fb3cb99899582abb6fa2b5c280ce015d (refs/tags/v3.2.0)
want 0c19d0be411de22fa3b1ec78319b668ea59e8335 (refs/tags/v3.2.1)
want eef3fd78ef0f78e8406339c27fd46c6af93f24ba (refs/tags/v3.2.10)
want 5d95a32e251b7a05692d61aa8648231e1b7b906f (refs/tags/v3.2.11)
want 0880b0b20c4d37f3ef05a561dbd66d138c795d6b (refs/tags/v3.2.12)
want 96fcac6a430e74927b638b73f373ad4d99de005b (refs/tags/v3.2.13)
want d1e774fa21682d9dc5dafec400d13a6f5eb8827d (refs/tags/v3.2.14)
want c72da86e4e66351bb4c564bbbe30daaa33756585 (refs/tags/v3.2.15)
want 7ea220f54db94ef0b305499d409e9887feaf536e (refs/tags/v3.2.16)
want 54a9acc11fe8e6aa91905e3c032aa8b4f871bc9b (refs/tags/v3.2.17)
want 5efe0cceb68267bdf055bcee062aa745aebd3e1c (refs/tags/v3.2.18)
want ba9dda7567ee6939c265e36f734e6ae3e014779a (refs/tags/v3.2.19)
want 2e21f6b3e7f1619919f674a3f92fd0e9a6d8a10d (refs/tags/v3.2.2)
want fb4fc5e880bbbb06627505b560425c0104dc1f65 (refs/tags/v3.2.20)
want 781f7f803d85b0281ab7bc4ea1173554c33c6f81 (refs/tags/v3.2.21)
want 745d73395e0b3fc51dcde381ae93902822ceca44 (refs/tags/v3.2.22)
want ba44d4d158d4f08b4271966798f81e1d1d9b3ba3 (refs/tags/v3.2.23)
want f6d6826d82cbb2b772de2387493d9520168e1893 (refs/tags/v3.2.24)
want 8319126d93f821c1a3c4abdd773c2ffb03c9245d (refs/tags/v3.2.25)
want aa0a9697d83d57be721f4ef8176d367c63873855 (refs/tags/v3.2.26)
want dd1ac33826064181d7abaa20d976eab31ec12b58 (refs/tags/v3.2.27)
want 3f059e5c53cd635382697546e6225f1437e3c5a2 (refs/tags/v3.2.28)
want 298fdec44579d427ee4c50483e5ccda1ebdcc204 (refs/tags/v3.2.29)
want fc28d0fa245616be3aa97e162086e71c75c92f6b (refs/tags/v3.2.3)
want 0382d1e980729491f4b0909b5a3309a98d49f718 (refs/tags/v3.2.30)
want 5710d6885258fd4e6e39a05f4347287c7db77382 (refs/tags/v3.2.4)
want 73e1e9f501e946d35387e30f49ef58adda82b4ee (refs/tags/v3.2.5)
want 152c38c687bfd75a1e6faa05944415cfe69c5c7b (refs/tags/v3.2.6)
want dace69da84434086a7a1268b621963f57ca03743 (refs/tags/v3.2.7)
want 1e9f53a8e7fe1a37ee5adb04fd0f9cc04bce378f (refs/tags/v3.2.8)
want 02154c3b3a1dfb783d9ceb94e10f0fc8451bddfc (refs/tags/v3.2.9)
want a4e4d1da06952ce90d8ec6604261c8a74432b282 (refs/tags/v3.3.0)
want 7116858f6796e0e82dd41581e8fe2988dddc1d4c (refs/tags/v3.3.1)
want f7d4933032ef7d641fcea89be8a7c27c83a6f011 (refs/tags/v3.3.2)
want eb78eedafec136fb90325a094fb4717f642734ab (refs/tags/v3.4.0)
want 4665ad860f6aa4cfbf83bf8f18da9db8dde1adb5 (refs/tags/v3.5.0)
want 50b2689809691f3f2aa01534ae2348d5e75289cc (refs/tags/v3.5.1)
want 7f594cdbe1afe86429ab542f76cf4539557b4dfa (refs/tags/v3.5.2)
want 9d394cc7fb0e4c1d768c3b1e1af0852f65e2c9b0 (refs/tags/v3.5.3)
want 998148be400d1e4d8928a746f3bd3bc147d7cbf5 (refs/tags/v3.5.4)
want d2ae7d870764d131887fa31a743bb50abbcf9384 (refs/tags/v3.6.0)
want b3514029955f38f2a1120b5c3ad59f241d9eecca (refs/tags/v3.6.1)
want 5183f8dcde9737db7583dbfa9881800dba26e3fa (refs/tags/v3.6.2)
want a905127dc89ca51a241eacf70757a40423ab93d0 (refs/tags/v3.6.3)
want b5e368500d0a508ef8f16e9c2d4025a8a46bcc29 (refs/tags/v3.6.4)
want 1bf10a61e2698abfa27266cb94573045bee7dc87 (refs/tags/v4.0.0)
want 65a64fe7aac20b56d8da4a8fd40d7c4bcffcc432 (refs/tags/v4.0.1)
want eca5d02f24a99706525f77f544deee8e7894f26c (refs/tags/v4.0.2)
want bc66ed0ebaa2b2a5f55935d45265b6885e2b22ff (refs/tags/v4.1.0)
want 1324657ba9910bf5ebed1435519e2e913802cfbe (refs/tags/v4.1.1)
want 938235994ea88a05678f8060741d5f34ed6a5ff3 (refs/tags/v4.1.10)
want ea5960170faa157952a4d49d277fd5a8b10e52eb (refs/tags/v4.1.11)
want bb84d84aeaa98b3c5c887264031b294cc7ca860c (refs/tags/v4.1.12)
want 0b8675fa4582105c8f54e08d3e0e6ad8f7df0546 (refs/tags/v4.1.2)
want 909c26e76cb93c5fc81469418ab6d05e7725ba53 (refs/tags/v4.1.3)
want 342961af9ec580f6cab8f29d8782905c71dd9f5c (refs/tags/v4.1.4)
want 49f197e6d11de35192fce19b2b9fd2f9b8b13c4a (refs/tags/v4.1.5)
want 788a36eee7796dbad237c33f9f73873a7feee292 (refs/tags/v4.1.6)
want 4b0862b5fd0a5ae4e63c76476a64655752d6031b (refs/tags/v4.1.7)
want 60d35dfc25b19100aeb564a98f74700efb9ab92e (refs/tags/v4.1.8)
want 1a0bda80bfc37ac0c4dcdf82dd4844fd5352f0b2 (refs/tags/v4.1.9)
want a7d1d0b9ac18e46d986729d8b71ad25d6a23986b (refs/tags/v4.2.0)
want 5a272d03b960a72c61e5025a7d6e8da5d8815442 (refs/tags/v4.2.1)
want 1579a9df5f42def33a507a1b4174e128d437a0ba (refs/tags/v4.2.2)
want 8a8d997ad58dc600d2ff0f64914102192f3b51ac (refs/tags/v4.2.3)
want c938162545c57136fa59879746bc65d0f1db3d1e (refs/tags/v4.2.4)
want 6f8957c5b7dece15d1ea5f592ec88f46ee2deffa (refs/tags/v5.0.0)
want 80cf5d1652d5590c35edc6c2dc1aa354790e3010 (refs/tags/v5.0.1)
want b6bfe529a846fbb9a58c832ce71c61b6fde12c15 (refs/tags/v5.0.2)
want c9856861674f102a5f51104c36401a3cf691739c (refs/tags/v5.1.0)
want e7f23a300bf5f75d2a658cc07233f025362a24f6 (refs/tags/v5.1.1)
want 854c88a72c8bb9c09936145aef886b7697d6b995 (refs/tags/v5.1.2)
want c6acf2ed159b22defbd9f077686cff03eba1e9b3 (refs/tags/v5.1.3)
want 5e76db680467ebce5495cc2159a9289a6851d773 (refs/tags/v5.1.4)
want 5e76db680467ebce5495cc2159a9289a6851d773 (refs/tags/v5.1.5)
want b7bae3a78050e2e7ec2130a05cde296a9ff2e9c0 (refs/tags/v5.1.6)
want 8fcba2ea878201b70c5a63dd416141d4ddbc601a (refs/tags/v5.1.7)
want b9cc17bae020d9c1f467ca0f27d7706c1683c370 (refs/tags/v5.2.0)
want 6da05abbaa03e90e5878f0ab711478698609fe96 (refs/tags/v5.2.1)
want 8829ddcd8bdb333e477cc845946c4b9b2ef66280 (refs/tags/v5.2.2)
want 9cd49656897843b8f2bf3d9639230cb7aec90d6c (refs/tags/v5.2.3)
want 2fe9c5cc0a8da9faeba3a45511a4ece8f7e37dc2 (refs/tags/v5.2.4)
done
POST git-upload-pack (gzip 5441 to 2639 bytes)
error: RPC failed; HTTP 301 curl 22 The requested URL returned error: 301
fatal: The remote end hung up unexpectedly

The glide error that led me here

[WARN]  Unable to checkout gopkg.in/redis.v4
[ERROR] Update failed for gopkg.in/redis.v4: Unable to get repository
[WARN]  Unable to checkout gopkg.in/bsm/ratelimit.v1
[ERROR] Update failed for gopkg.in/bsm/ratelimit.v1: Unable to get repository
[ERROR] Failed to do initial checkout of config: Unable to get repository
Unable to get repository
joesis commented 7 years ago

@johnrichter https://github.com/niemeyer/gopkg/issues/50#issuecomment-273299592 would solve the 301 redirect issue

johnrichter commented 7 years ago

I spoke too soon yesterday as it did indeed solve the redirect problem. I'm not an expert on running git servers, but it seems that a more appropriate error message should be given to clients which run into this issue. Especially as 2.11.1 gains popularity.

We used to give sensible error message only upon 404, but we now forbid unexpected redirects that needs to be reported with something sensible.

merlinran commented 7 years ago

Finally have time to get it running on one of my test server. curl -vLk https://xxx causes:

2017/02/14 10:18:15 http: TLS handshake error from <masked>: acme/autocert: missing server name

It's expected of course. It explains why git fails when sslVerify is not set / default to true. Code triggers the error is here

pdf commented 7 years ago

@johnrichter I believe your issue is #50, rather than this one. You can find a temporary workaround there until gopkg is updated.

niemeyer commented 7 years ago

No need to change the configuration anymore. We've changed gopkg.in itself to support the new git quirks.

teancom commented 7 years ago

FYI, on OS X 10.12.3, go 1.8, and git 2.12.0, I was having this issue until I ran git config --global http.sslVerify true.

justlaputa commented 7 years ago

I still met the problem even after git config --global http.sslVerify true:

~ ❯❯❯ git --version        
git version 2.10.1 (Apple Git-78)
~ ❯❯❯ go version 
go version go1.8 darwin/amd64
~ ❯❯❯ git clone https://gopkg.in/fatih/pool.v2 /Users/laputa/workspace/go/src/gopkg.in/fatih/pool.v2                                                                                               
Cloning into '/Users/laputa/workspace/go/src/gopkg.in/fatih/pool.v2'...
fatal: unable to access 'https://gopkg.in/fatih/pool.v2/': Unknown SSL protocol error in connection to gopkg.in:-9838
merlinran commented 7 years ago

@justlaputa You may try GIT_CURL_VERBOSE=1 GIT_TRACE=1 git ... to see what exactly happens

justlaputa commented 7 years ago

seems not so much new information

~ ❯❯❯ GIT_CURL_VERBOSE=1 GIT_TRACE=1 git clone https://gopkg.in/fatih/pool.v2 /Users/laputa/workspace/go/src/gopkg.in/fatih/pool.v2                                               
15:35:49.110194 git.c:350               trace: built-in: git 'clone' 'https://gopkg.in/fatih/pool.v2' '/Users/laputa/workspace/go/src/gopkg.in/fatih/pool.v2'
Cloning into '/Users/laputa/workspace/go/src/gopkg.in/fatih/pool.v2'...
15:35:49.122374 run-command.c:336       trace: run_command: 'git-remote-https' 'origin' 'https://gopkg.in/fatih/pool.v2'
* Couldn't find host gopkg.in in the .netrc file; using defaults
*   Trying 45.33.37.13...
* TCP_NODELAY set
* Connected to gopkg.in (45.33.37.13) port 443 (#0)
* Unknown SSL protocol error in connection to gopkg.in:-9838
* Curl_http_done: called premature == 1
* Closing connection 0
fatal: unable to access 'https://gopkg.in/fatih/pool.v2/': Unknown SSL protocol error in connection to gopkg.in:-9838
merlinran commented 7 years ago

So it looks exactly what will happen if you curl -vLk https://gopkg.in/fatih/pool.v2, in other words, the http.sslVerify is still false for some reason.

Please see my experiment above https://github.com/niemeyer/gopkg/issues/49#issuecomment-278242415

justlaputa commented 7 years ago

checked again my git config:

~ ❯❯❯ git config --list    
...
http.sslverify=true

still same error on git clone,

justlaputa commented 7 years ago

anyway I solved by manually clone for mgo, in case anyone need it:

git clone -b v2 git@github.com:go-mgo/mgo.git $GOPATH/src/gopkg.in/mgo.v2
git clone -b v2 git@github.com:go-tomb/tomb.git $GOPATH/src/gopkg.in/tomb.v2
git clone -b v2 git@github.com:go-yaml/yaml.git $GOPATH/src/gopkg.in/yaml.v2
git clone -b v1 git@github.com:go-check/check.git $GOPATH/src/gopkg.in/check.v1
silverwind commented 7 years ago

This is caused a bug in Apple's SecureTransport library as described in https://github.com/curl/curl/issues/998#issuecomment-245210625.

gopkg.in does not run on a dedicated IP address, so can only serve clients that support the SNI extension. Unfortunately, Apple has decided to disable SNI when cert checks are disabled, which is totally unnecessary.

So either moving gopkg.in to a dedicated IP or use git that's compiled against something else than SecureTransport, e.g. brew reinstall git --with-openssl.

carstenhag commented 6 years ago

@silverwind hey, I tried to fix it with brew reinstall git --with-openssl but unfortunately it doesn't seem to fix it.

I am still having this gopkg issue on macOS Sierra 10.12.6 and go 1.9.

dossy commented 6 years ago

On OSX, there can be several copies of git beyond the one you install with Homebrew, so be careful:

$ PATH=/usr/bin git --version
git version 2.10.1 (Apple Git-78)

$ PATH=/Applications/Xcode.app/Contents/Developer/usr/bin git --version
git version 2.10.1 (Apple Git-78)

$ PATH=/usr/local/bin git --version
git version 2.15.1
stantonxu commented 6 years ago

git config --global http.sslVerify true fixes the problem for me, with macOS 10.12.4, Go 1.10.2, git 2.17.0

keltia commented 6 years ago

I just hit that as well, using git 2.17.0 though Homebrew but using --with-openssl. The last comment did fix it too.

niemeyer commented 11 months ago

I assume this has settled down by now.