Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Intermittent SSL issue trying to load iOS certificates #10934

Open
3 of 15 tasks
OliverBrown-Next opened this issue Nov 8, 2024 · 17 comments
Open
3 of 15 tasks

Intermittent SSL issue trying to load iOS certificates #10934

OliverBrown-Next opened this issue Nov 8, 2024 · 17 comments
Assignees

Comments

@OliverBrown-Next
Copy link

Description

We have recently started getting SSL errors when trying to install iOS certificates. Our workflow related to this has not changed for a long time. It does work sometimes (with the same certificates) so I don't believe there are any problems with the certificates.

This happens on macOS 15 20241106.316 but we only very recently switched to macOS 15 and it happened on macOS 14 too.

Starting: Install Dist Apple certificate
==============================================================================
Task         : Install Apple certificate
Description  : Install an Apple certificate required to build on a macOS agent machine
Version      : 2.246.5
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/install-apple-certificate
==============================================================================
/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/EnterpriseDistribution.p12 -nokeys -passin pass:*** | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space
Error outputting keys and certificates
40CBBC50F87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()
Could not find certificate from <stdin>
##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input.
##[error]Error: /usr/local/bin/openssl failed with return code: 1
Finishing: Install Dist Apple certificate


Platforms affected

  • Azure DevOps
  • GitHub Actions - Standard Runners
  • GitHub Actions - Larger Runners

Runner images affected

  • Ubuntu 20.04
  • Ubuntu 22.04
  • Ubuntu 24.04
  • macOS 12
  • macOS 13
  • macOS 13 Arm64
  • macOS 14
  • macOS 14 Arm64
  • macOS 15
  • macOS 15 Arm64
  • Windows Server 2019
  • Windows Server 2022

Image version and build link

Image: macos-15
Version: 20241106.316

Is it regression?

Yes

Expected behavior

Certificate install correctly.

Actual behavior

Certificates not installed.

Repro steps

Attempt to install iOS certificates. I don't know if it something specific to the certificates I'm using though.

@OliverBrown-Next
Copy link
Author

I've just discovered this issue, which seems to be the problem and may be a better place:

microsoft/azure-pipelines-tasks#20628

@OliverBrown-Next
Copy link
Author

Based on the discussion (and looking at recent runs) I suspect this was intermittent on macOS 14 as the updated agent was rolling out, but is every time on macOS 15.

@susmitamane
Copy link
Contributor

@OliverBrown-Next We will look into the issue and keep you posted with updates.

@thisisthekap
Copy link

Seems like macos-15 20241106.316 requires us to add opensslPkcsArgs: -legacy to the InstallAppleCertificate@2 task. But for older image versions (e.g. macos-15 20241022.244) we must not add this line (otherwise the build fails because the legacy argument seems to be unsupported for that case).

The issue that we are currently facing: macOS-15 20241106.316 does not seem to be rolled out to all hosted agents as of now.

@thedee
Copy link

thedee commented Nov 13, 2024

I get this same error when doing:
vmImage: 'macos-15'
sudo xcode-select -s /Applications/Xcode_16.app/Contents/Developer

@rkops-bd
Copy link

even with opensslPkcsArgs: -legacy this problem happens

@amit-thapa
Copy link

Seems like macos-15 20241106.316 requires us to add opensslPkcsArgs: -legacy to the InstallAppleCertificate@2 task. But for older image versions (e.g. macos-15 20241022.244) we must not add this line (otherwise the build fails because the legacy argument seems to be unsupported for that case).

The issue that we are currently facing: macOS-15 20241106.316 does not seem to be rolled out to all hosted agents as of now.

This is what is currently happening to me macos-15 20241106.316 works like a charm and macos-15 20241022.244 doesn't.

@amit-thapa
Copy link

even with opensslPkcsArgs: -legacy this problem happens

Depends which version of macos-15 was assigned to the runner

@rkops-bd
Copy link

Seems like macos-15 20241106.316 requires us to add opensslPkcsArgs: -legacy to the InstallAppleCertificate@2 task. But for older image versions (e.g. macos-15 20241022.244) we must not add this line (otherwise the build fails because the legacy argument seems to be unsupported for that case).
The issue that we are currently facing: macOS-15 20241106.316 does not seem to be rolled out to all hosted agents as of now.

This is what is currently happening to me macos-15 20241106.316 works like a charm and macos-15 20241022.244 doesn't.

can confirm!

@brentpi
Copy link

brentpi commented Nov 15, 2024

I converted my key using the following guide; and the issue is resolved:

https://www.docuseal.com/docs/convert-legacy-p12-pfx-files-to-support-openssl-3

Can confirm that legacy, provider legacy, etc did not work prior to having to convert the key.

@amit-thapa
Copy link

I converted my key using the following guide; and the issue is resolved:

https://www.docuseal.com/docs/convert-legacy-p12-pfx-files-to-support-openssl-3

Can confirm that legacy, provider legacy, etc did not work prior to having to convert the key.

Hi, what did you use to convert it just regular cmd ?

@sven-s
Copy link

sven-s commented Nov 15, 2024

I have the same problem also with the image 20241106.316.

/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/Certificate.p12 -nokeys -passin pass:xxxxxx | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space Error outputting keys and certificates 40FB9549F87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () Could not find certificate from <stdin> ##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input. ##[error]Error: /usr/local/bin/openssl failed with return code: 1 Finishing: Install cert

Image 20241022.244 runs fine for me, but how to set the image version as a demand?

Edit: I converted the certificate with the link provided and now everything runs fine. @amit-thapa I used just the terminal on my mac, on windows I would try the git bash

Edit again: While the new certificate is running fine with image version 20241106.316, it fails with image version 20241022.244. There is something really rotten.

@CPRmichel
Copy link

Same error in our pipelines, when is a fix planned?

@amit-thapa
Copy link

amit-thapa commented Nov 18, 2024

https://www.docuseal.com/docs/convert-legacy-p12-pfx-files-to-support-openssl-3

As already mentioned in one of the comments, use this link https://www.docuseal.com/docs/convert-legacy-p12-pfx-files-to-support-openssl-3 to convert your current p12 file to support openssl 3. I used git bash to get the commands working as it already has open ssl installed in it. This conversion did work for me and I am no longer getting that same error.

@amit-thapa
Copy link

amit-thapa commented Nov 18, 2024

I have the same problem also with the image 20241106.316.

/usr/local/bin/openssl pkcs12 -in /Users/runner/work/_temp/Certificate.p12 -nokeys -passin pass:xxxxxx | /usr/local/bin/openssl x509 -sha1 -noout -fingerprint -subject -dates -nameopt utf8,sep_semi_plus_space Error outputting keys and certificates 40FB9549F87F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:355:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () Could not find certificate from <stdin> ##[warning]Error parsing certificate. This might be caused by an unsupported algorithm. If you're using old certificate with a new OpenSSL version try to set -legacy flag in opensslPkcsArgs input. ##[error]Error: /usr/local/bin/openssl failed with return code: 1 Finishing: Install cert

Image 20241022.244 runs fine for me, but how to set the image version as a demand?

Edit: I converted the certificate with the link provided and now everything runs fine. @amit-thapa I used just the terminal on my mac, on windows I would try the git bash

Edit again: While the new certificate is running fine with image version 20241106.316, it fails with image version 20241022.244. There is something really rotten.

@sven-s That is weird, I did a re-run of the pipelines after the conversion a couple of times this morning and it used macos-15 20241022.244 both times and it ran fine both times. I have a different issue now but not related to that one. I also removed the following lines below

opensslPkcsArgs: -legacy

But I do agree there are lots of inconsistencies and errors throughout macos-15 runner. I have this error now #10686 (comment)

@gabsamples6
Copy link

Hi
Is there any news of a fix ? none of the work around work for me.
Thanks

@erik-bershel erik-bershel added bug Something isn't working Area: Common Tools labels Nov 19, 2024
@erik-bershel
Copy link
Contributor

Hey there! Heads up! 👋

Unfortunately, an unpleasant situation arose where we could not create the image for technical reasons 😞, but now it fixed. 🥳 The fix will be delivered in the next release cycle, approximately by Wednesday. Currently, about two-fifths of all macos-15 ADO agents contain OpenSSL@3, which causes the error. The remaining agents are not affected by the problem because they contain the outdated but expected by tasks [email protected].

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests