clojars

http://clojars.org discussion and “support”, see http://status.clojars.org for status.
seancorfield 2021-02-21T18:29:26.003300Z

Purely FYI, yesterday I was trying to deploy a new release of depstar and it was failing from my WSL2 (Ubuntu) machine but succeeding from my Mac -- both times using the same version of deps-deploy. I ran a bit of debugging from WSL2 and saw this:

seanc@DESKTOP-30ICA76:~/oss/depstar$ echo -n | openssl s_client -CApath /etc/ssl/certs/ -connect <http://clojars.org:443|clojars.org:443>
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
verify return:1
depth=0 CN = <http://clojars.org|clojars.org>
verify error:num=9:certificate is not yet valid
notBefore=Feb 21 00:00:00 2021 GMT
verify return:1
depth=0 CN = <http://clojars.org|clojars.org>
notBefore=Feb 21 00:00:00 2021 GMT
verify return:1
Obviously, today that is fine -- but it looks like the new certificate was applied to http://clojars.org a bit early? I guess I'm just surprised why that would error out on some systems but not on others. Here's the error I ran into:
seanc@DESKTOP-30ICA76:~/oss/depstar$ clojure -X:deploy
Deploying seancorfield/depstar-2.0.187 to repository clojars as seancorfield
Sending seancorfield/depstar/2.0.187/depstar-2.0.187.pom (2k)
    to <https://clojars.org/repo/>
Could not transfer artifact seancorfield:depstar:pom:2.0.187 from/to clojars (<https://clojars.org/repo>): PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Sending seancorfield/depstar/2.0.187/depstar-2.0.187.jar (13k)
    to <https://clojars.org/repo/>
Could not transfer artifact seancorfield:depstar:jar:2.0.187 from/to clojars (<https://clojars.org/repo>): PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Execution error (CertificateNotYetValidException) at sun.security.x509.CertificateValidity/valid (CertificateValidity.java:273).
NotBefore: Sat Feb 20 16:00:00 PST 2021

2021-02-21T19:05:18.003400Z

Interesting - what time (UTC) was it when you saw the failure Sean? We use AWS's automated certificate management, and it handles creating and applying the new certs for us. Looking at the AWS console, it claims that the cert was created at 2021-02-21T00:28:31UTC and applied it at 2021-02-21T00:29:13UTC, so I would only expect a client to complain if it thought the current time was before that

seancorfield 2021-02-21T20:03:15.003600Z

"Saturday afternoon Pacific time" is about as close as I can be on that. I just noticed that WSL2 is reporting a time that is earlier than the system clock so it has drifted out of sync (I've had my WSL2 running for a long time). It may well have drifted far enough that WSL2 didn't think midnight UTC had been reached... interesting...

seancorfield 2021-02-21T20:04:22.003800Z

Hmm, restarted it and it still is behind the system time. OK, will research how/why that happens.

seancorfield 2021-02-21T20:11:58.004Z

https://tomssl.com/fixing-clock-drift-in-wsl2-using-windows-terminal/ -- oh well, TIL!

2021-02-21T20:12:23.004300Z

Glad you got it figured out!

seancorfield 2021-02-21T20:14:22.004500Z

This (clojars deploy) was the first time I'd ever noticed the issue -- and it was hours off when I actually checked it! 🙂 Sorry for the noise, but your response pointed me in the right direction!

2021-02-21T20:17:16.004700Z

You just go lucky with the yearly cert rotation :)