Stream: IG creation
Topic: IG 1.1.43 errors
Elliot Silver (Nov 27 2020 at 23:31):
(This is carried over from https://chat.fhir.org/#narrow/stream/179166-implementers/topic/Validate.20against.20R5.20Preview.203/near/218135809).
The new release of the IG publisher seems to be throwing errors in the output. It doesn't affect a build completing though (perhaps because the resources are in my cache?).
Error connecting to build server - running without build (PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed)
Also, the new POST attempt <1> to url -> http://tx.fhir.org/r4/ messages are a little disconcerting -- I expect these are searches, but my first reaction was "why is it modifying anything on the terminology server‽"
Grahame Grieve (Nov 28 2020 at 04:32):
@Mark Iantorno it didn't take very long at all.
Grahame Grieve (Nov 28 2020 at 12:29):
@Josh Mandel this is actually because the certificate on build.fhir.org has expired. It's urgent to fix this ASAP. @Mark Iantorno can we work around this in the Java client?
Mark Iantorno (Nov 28 2020 at 12:31):
Let me take a look at it later today.
Grahame Grieve (Nov 28 2020 at 12:45):
it looks like it'll be my monday morning before I can sort out an issue with a certificate replacement
Mark Iantorno (Nov 28 2020 at 13:01):
Looking into it right now, just needed to get out of bed
Mark Iantorno (Nov 28 2020 at 13:02):
let me see if I can do a workaround
Mark Iantorno (Nov 28 2020 at 13:03):
I will also remove the logging
Mark Iantorno (Nov 28 2020 at 13:03):
for the rest requests
Mark Iantorno (Nov 28 2020 at 14:02):
Alright, I think i have fixed the issue
Mark Iantorno (Nov 28 2020 at 14:02):
I'm just going to run the build pipelines and produce new releases for the core, then the publisher
Mark Iantorno (Nov 28 2020 at 14:02):
should take 2ish hours tops
Josh Mandel (Nov 28 2020 at 14:03):
I'm awake now. @Grahame Grieve do I remember correctly that we're using a wildcard certificate that you supplied? Do you have a replacement ready to substitute in?
Mark Iantorno (Nov 28 2020 at 14:04):
Well, I'll publish the releases anyway to get a working copy out to everyone (there were two other small issues that needed to be fixed anyway), and then on Monday I can roll back the change to blindly trust the build server
Josh Mandel (Nov 28 2020 at 14:05):
Oh, reading earlier in the thread I see that you don't have a new one available. we could probably issue a LetsEncrypt certificate before then... though there's no drop-in approach in the current infrastructure
Josh Mandel (Nov 28 2020 at 14:06):
and that would only work for the one domain where the web server hosted. I'm not sure what other things are broken right now if any.
Mark Iantorno (Nov 28 2020 at 14:08):
if there are any other issues with the core or publisher, I can fix them for you. I have some temporary code in there that handles the expired cert
Mark Iantorno (Nov 28 2020 at 14:08):
I can just apply it to where we need
Josh Mandel (Nov 28 2020 at 14:10):
Or better: somebody who controls DNS for fhir.org actually can get a wildcard certificate for 90 days from LetsEncrypt -- https://www.goodmoneysense.com/creating-letsencrypt-free-wildcard-ssl-certificates-tutorial/ has a tutorial.
Josh Mandel (Nov 28 2020 at 14:10):
(I do not have access to the DNS for this domain.)
Mark Iantorno (Nov 28 2020 at 18:06):
Core has been changed to include a temporary fix for this, and published (5.2.4), IG Publisher is currently building with the new core fixes and should be public within 30 min (v1.1.44)
Mark Iantorno (Nov 28 2020 at 18:07):
@Elliot Silver once you see v1.1.44 go live, please test with that and let me know if you have any issues
Elliot Silver (Nov 28 2020 at 18:09):
Thanks all for looking at this. I’ll check it out and let you know.
Elliot Silver (Nov 28 2020 at 18:27):
It looks good. Thanks.
Jens Villadsen (Nov 30 2020 at 12:39):
Jens Villadsen (Nov 30 2020 at 12:39):
all services that downloads IG's that are not published have a hard time getting around this ...
Jens Villadsen (Nov 30 2020 at 12:40):
Error loading "https://build.fhir.org/ig/..... / .... /package.tgz"
Jens Villadsen (Nov 30 2020 at 12:42):
@Wayne Kubick you're the CTO ... could you aggresively throw some TLC after this or find somebody who will?
Jens Villadsen (Nov 30 2020 at 12:44):
or perhaps @David Johnson ?
Lynn Laakso (Nov 30 2020 at 14:19):
@Bryn Evans
Wayne Kubick (Nov 30 2020 at 14:26):
The certificate has expired. Working on it.
Wayne Kubick (Nov 30 2020 at 16:50):
I've gotten a couple of other complains today that certificate errors are still being generated - Jens and Keith Boone. What is the current status?
Jens Villadsen (Nov 30 2020 at 18:29):
its still invalid
Jens Villadsen (Nov 30 2020 at 18:31):
@Wayne Kubick
Keith Boone (Nov 30 2020 at 18:33):
@Wayne Kubick I'm still getting certificate errors.
John Moehrke (Nov 30 2020 at 18:46):
still not working for me.
Grahame Grieve (Nov 30 2020 at 20:50):
I have a DNS problem that is preventing us from getting a new certificate
Jens Villadsen (Dec 02 2020 at 13:43):
that DNS problem seems persistent to me ... :sob: @Grahame Grieve
Grahame Grieve (Dec 02 2020 at 19:44):
should be fixed now
Grahame Grieve (Dec 02 2020 at 20:00):
you should hassle @Josh Mandel who's actually the one who applies the certificate on build.fhir.org
Josh Mandel (Dec 02 2020 at 21:11):
I still don't have a key to deploy; I'm working with with Grahame to get this going.
Josh Mandel (Dec 02 2020 at 21:26):
Got it, and deployed!
Josh Mandel (Dec 02 2020 at 21:26):
Let me know if you hit any issues.
Grahame Grieve (Dec 02 2020 at 21:27):
@Mark Iantorno fyi
Mark Iantorno (Dec 02 2020 at 21:28):
:octopus:
Chris Moesel (Dec 09 2020 at 15:21):
It looks like https://packages.fhir.org/ is still using an expired certificate. Will that one be updated soon?
Gino Canessa (Dec 09 2020 at 16:43):
Chris Moesel said:
It looks like https://packages.fhir.org/ is still using an expired certificate. Will that one be updated soon?
@Ward Weistra , is that on your end?
Ward Weistra (Dec 09 2020 at 18:03):
I'll ask around. @Grahame Grieve @Mark Iantorno @Joshua Procious is this (certificate on packages.fhir.org) something you control?
Joshua Procious (Dec 09 2020 at 18:13):
This is not something we at HL7 HQ manage but I'm happy to help if I can.
Mark Iantorno (Dec 09 2020 at 18:37):
@Josh Mandel Do you manage the cert on this?
Grahame Grieve (Dec 09 2020 at 19:17):
@Ward Weistra yes I have the updated cert. Who on your side needs it?
Josh Mandel (Dec 09 2020 at 21:21):
@Josh Mandel Do you manage the cert on this?
No.
Ward Weistra (Dec 10 2020 at 12:16):
Grahame Grieve said:
Ward Weistra yes I have the updated cert. Who on your side needs it?
Please share it with @Martijn Harthoorn , seems we can do the updating.
Chris Moesel (Dec 16 2020 at 15:44):
Hey all. Any updates on this? It looks like https://packages.fhir.org is still using the expired certificate.
Ward Weistra (Dec 17 2020 at 13:15):
@Chris Moesel Took some back and forth, but it's installed now! Can you confirm?
cc @Gino Canessa
Chris Moesel (Dec 17 2020 at 13:35):
YES! Looks good! Thank you @Ward Weistra!
Gino Canessa (Dec 17 2020 at 16:23):
Works from here @Ward Weistra , thanks!
Last updated: Apr 12 2022 at 19:14 UTC
