Last night I attempted to make a new Panopoly 1.7 release for Drupal 7.29. I'm getting a packaging error:
Build for panopoly-7.x-1.7-no-core failed:
>> Unable to download tinymce from https://github.com/downloads/tinymce/tinymce/tinymce_3.5.8.zip.
Here's the release node:
https://www.drupal.org/node/2304621
That URL for tinymce works fine! Panopoly builds correctly using drush make
locally. Also, that URL matches the whitelist entry:
https://www.drupal.org/node/1404056
I've also verified the .make file using drush verify-makefile
(it's actually part of our CI that runs on every commit).
The HotSauce distribution has reportedly had the same problem when trying to make a release of their Panopoly-based distribution.
Proposed solution (based on comments below)
According to @drumm, @isntall and @basic, this is an issue with how GitHub is configured, but for some reason it only trips up the older 'wget' installed on the machine that runs the packager. The solution will be to update 'wget' so it doesn't error out anymore.
Comment | File | Size | Author |
---|---|---|---|
Selection_136.png | 23.06 KB | dsnopek |
Comments
Comment #1
areynolds CreditAttribution: areynolds commented+1 on this, we saw this error on Hotsauce, even after deleting all releases and trying to create a couple new ones, none of our releases are getting built (although strangely this error hasn't popped up again, the releases just never get built).
Comment #2
drumm--no-cache
is used when drush make is executed, I don't think it is caching.Internally, drush tries to execute something like
Not being able to establish an SSL connection is the problem.
Comment #3
drummBoth curl and wget can't complete the SSL handshake on util and git7site. They can on stagingwww1. Some package(s) for the OS need to be updated.
Comment #4
drummI put in a support request to GitHub support in case util.drupal.org accidentally got blocked on their end.
curl -vLk https://github.com/downloads/tinymce/tinymce/tinymce_3.5.8.zip > /dev/null
After the redirect, it returns:
Since -k should tell curl to allow the certificate to go unchecked, and this still doesn't download the file, I'm thinking being blocked is a possibility.
Comment #5
dsnopekWow, this is turning out to be quite complex. :-/
@drumm: Thanks for digging into this! Please let me know if there is any way I can help.
Comment #6
dsnopekJust in case this helps: I think this broke on June 21st. The reason I think that, is that is when Panopoly's last -dev release was packaged (excepting the broken one I made on July 19th, when trying the alternate download URL for TinyMCE).
Anyway, that might not be useful at all, but I figured I throw it in here just in case. :-)
Comment #7
isntall CreditAttribution: isntall commentedShort summary: It looks like the GitHub has a misconfigured AWS CloudFront.
Longer Summary: The AWS CloudFront that GitHub is using isn't properly handling
the secure port and so openssl chokes on it
For this instance trying to download
https://github.com/downloads/tinymce/tinymce/tinymce_3.5.8.zip
redirects to
https://cloud.github.com/downloads/tinymce/tinymce/tinymce_3.5.8.zip
which is a CNAME to
https://d24z2fz21y4fag.cloudfront.net
Checking the SSL port with
yeilds
For a baseline I looked at github.com and a random CloudFront instance provided by AWS itself
which worked properly
Newer versions of openssl give the error, but newer wget/curl seem to at least get past the error.
Comment #8
basic CreditAttribution: basic commented@dsnopek, while we are debugging this issue with cloud.github.com, SNI, and our versions of wget, openssl and curl, could you switch the URL for tinymce to http://download.moxiecode.com/tinymce/tinymce_3.5.8.zip ?
This is a workaround, but will at least work until @isntall can find a resolution with github's support people.
Comment #9
dsnopek@basic: Sure, that'd be fine! However, I'm planning to wait until Drupal 7.30 is released before attempting another release, because the regression in 7.29 does affect Panopoly. David_Rothstein said they might get that out "early this week" on: #2305017: Regression: Files or images attached to certain core and non-core entities are lost when the entity is edited and saved
But thanks for all your help! :-)
Comment #10
dsnopekOk! I've successfully made a Panopoly 1.8 release with the alternate URL:
https://www.drupal.org/node/2309781
I'm going to leave this issue open, but change the title and description a little bit so it's about the GitHub/wget issue rather than Panopoly.
Thanks again, @drumm, @basic and @isntall, for all of your help! :-)
Comment #11
pirog CreditAttribution: pirog commentedAwesome! Glad to see the issue has been isolated and that a workaround exists in the meantime!
Comment #12
heilop CreditAttribution: heilop commentedThanks,
I had this problem, but i am using 'wget' for now.
Comment #13
xtfer CreditAttribution: xtfer commentedFWIW, this has also hit the aGov distro...
Comment #14
kreynen CreditAttribution: kreynen commentedhttps://www.drupal.org/node/2248207#comment-9032027
Comment #15
Damien Tournoud CreditAttribution: Damien Tournoud commentedcloud.github.com
(aliased tod24z2fz21y4fag.cloudfront.net
) is using the standard SNI-based SSL, not the (excruciatingly expensive) dedicated IP SSL mode. It works perfectly for me:(Note that
s_client
only sends a SNI if explicitly asked.)So do we have a version of wget installed that doesn't actually support SNI properly?
Comment #16
isntall CreditAttribution: isntall commentedIn short yes.
That box is CentOS 5 and without build an custom openssl and wget, SNI is a stopper.
Comment #17
drummI talked this over with basic and isntall, but neglected to update this issue. What we will do is move packaging from util to jenkins1. This makes a lot of sense for various infrastructure reasons and gets this running on a CentOS 6 box.
The one thing we need to do is resolve #1028950: Fix packaging scripts to checkout from sane/stable Git URLs instead of hard-coding the local filesystem. The rest of the work is relatively straightforward, and some QA.
QA will be a lot easier for me if the issue summary has a list of failing release node URLs. I'll be triggering packaging on them to make sure they work.
Comment #18
drummMoving this back to Infra, since I realized #1028950: Fix packaging scripts to checkout from sane/stable Git URLs instead of hard-coding the local filesystem exists to track the drupalorg code change.
Comment #19
drumm#1028950: Fix packaging scripts to checkout from sane/stable Git URLs instead of hard-coding the local filesystem is now deployed and working well. I found a second blocker to moving packaging, #1268120: Use the project packaging checkout to create dependencies instead of checking out the code
Comment #20
drumm#1268120: Use the project packaging checkout to create dependencies instead of checking out the code is actually not an issue, so I'm moving forward with testing this. I'll be repackaging affected releases on jenkins1 to test everything out.
Comment #21
drummI repackaged panopoly 7.x-1.7 https://www.drupal.org/node/2304621. The unable to download error disappeared, but -dev modules have drifted enough that 3 patches no longer apply. I'll need to find a release which is currently failing because of only this to really test it out.
Comment #22
drummAfter testing repackaging drupalorg and a few other distros, I moved all packaging over to jenkins1.
Comment #23
dsnopekAwesome! Thanks, everyone, for putting so much time into this!
Hrm. I don't think this is possible. When we use -dev versions, we ALWAYS specify Git revision numbers, so running an old .make file should be deterministic. In fact, I just ran the Panopoly 1.7 .make file locally to verify, and it worked! All those patches applied fine. I think something else must be going on here... Can you get the full drush output?
We're planning to make a new release today (for an SA to contrib module we bundle), so I guess that'll be a good test to see if the packager is working correctly. :-)
Comment #24
dsnopekOk, so I got those same errors when trying to make a new release today. I've opened a new issue for it here:
#2321313: Packager is unable to apply certain patches which apply fine locally