From fae01019c9235bd289aeec1a6ed169e4017d1ebe Mon Sep 17 00:00:00 2001 From: Manuel Kaufmann Date: Tue, 5 Oct 2021 10:14:19 +0200 Subject: [PATCH 1/2] Build: update ca-certificates before cloning This is a temporal solution while we decide how to fix the real problem. For now, we are installing a newer version of `ca-certificates` before starting to clone the repository. Reference #8555 --- readthedocs/projects/tasks.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/readthedocs/projects/tasks.py b/readthedocs/projects/tasks.py index b2e292f40aa..a2a96668273 100644 --- a/readthedocs/projects/tasks.py +++ b/readthedocs/projects/tasks.py @@ -901,6 +901,23 @@ def setup_vcs(self, environment): """ environment.update_build(state=BUILD_STATE_CLONING) + # Install a newer version of ca-certificates packages because it's + # required for Let's Encrypt certificates + # https://github.com/readthedocs/readthedocs.org/issues/8555 + # https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816 + # TODO: remove this when a newer version of ``ca-certificates`` gets + # pre-installed in the Docker images + self.setup_env.run( + 'apt-get', 'update', '--assume-yes', '--quiet', + user=settings.RTD_DOCKER_SUPER_USER, + record=False, + ) + self.setup_env.run( + 'apt-get', 'install', '--assume-yes', '--quiet', 'ca-certificates', + user=settings.RTD_DOCKER_SUPER_USER, + record=False, + ) + log.info( LOG_TEMPLATE, { From 84a867ba36e14e6ef51809ae99177f47ebd03cc7 Mon Sep 17 00:00:00 2001 From: Manuel Kaufmann Date: Tue, 5 Oct 2021 17:51:08 +0200 Subject: [PATCH 2/2] Install `ca-certificates` under a feature flag --- readthedocs/projects/models.py | 5 +++++ readthedocs/projects/tasks.py | 21 +++++++++++---------- 2 files changed, 16 insertions(+), 10 deletions(-) diff --git a/readthedocs/projects/models.py b/readthedocs/projects/models.py index 52a79670fea..c6f5c2d9b77 100644 --- a/readthedocs/projects/models.py +++ b/readthedocs/projects/models.py @@ -1642,6 +1642,7 @@ def add_features(sender, **kwargs): ALL_VERSIONS_IN_HTML_CONTEXT = 'all_versions_in_html_context' CACHED_ENVIRONMENT = 'cached_environment' LIMIT_CONCURRENT_BUILDS = 'limit_concurrent_builds' + UPDATE_CA_CERTIFICATES = 'update_ca_certificates' # Versions sync related features SKIP_SYNC_TAGS = 'skip_sync_tags' @@ -1725,6 +1726,10 @@ def add_features(sender, **kwargs): LIMIT_CONCURRENT_BUILDS, _('Limit the amount of concurrent builds'), ), + ( + UPDATE_CA_CERTIFICATES, + _('Update ca-certificates Ubuntu package before VCS clone'), + ), # Versions sync related features ( diff --git a/readthedocs/projects/tasks.py b/readthedocs/projects/tasks.py index a2a96668273..26215e12de7 100644 --- a/readthedocs/projects/tasks.py +++ b/readthedocs/projects/tasks.py @@ -907,16 +907,17 @@ def setup_vcs(self, environment): # https://community.letsencrypt.org/t/openssl-client-compatibility-changes-for-let-s-encrypt-certificates/143816 # TODO: remove this when a newer version of ``ca-certificates`` gets # pre-installed in the Docker images - self.setup_env.run( - 'apt-get', 'update', '--assume-yes', '--quiet', - user=settings.RTD_DOCKER_SUPER_USER, - record=False, - ) - self.setup_env.run( - 'apt-get', 'install', '--assume-yes', '--quiet', 'ca-certificates', - user=settings.RTD_DOCKER_SUPER_USER, - record=False, - ) + if self.project.has_feature(Feature.UPDATE_CA_CERTIFICATES): + self.setup_env.run( + 'apt-get', 'update', '--assume-yes', '--quiet', + user=settings.RTD_DOCKER_SUPER_USER, + record=False, + ) + self.setup_env.run( + 'apt-get', 'install', '--assume-yes', '--quiet', 'ca-certificates', + user=settings.RTD_DOCKER_SUPER_USER, + record=False, + ) log.info( LOG_TEMPLATE,