Sentry-cli: SSL Error Github Actions

Created on 22 Feb 2020  路  19Comments  路  Source: getsentry/sentry-cli

Error: Command failed: /app/node_modules/@sentry/cli/sentry-cli releases new xxxxxxxxx
error: API request failed
  caused by: [60] SSL peer certificate or SSH remote key was not OK

Where do I start on this? is it an SSL verification issue?

Most helpful comment

NICE! the properties file worked!

I specified:

[defaults]
project=<redacted>
org=<redacted>
[auth]
token=<redacted>
[log]
level=debug
[http]
verify_ssl=false

Which not only turned on the debug log level for sentry-cli but verify_ssl option seemed to fix the SSL error I was having.

I'm going to remove that and see if the debug output catches the original SSL error and pass that on to you.

All 19 comments

You should get more verbose log with --log-level=DEBUG flag.

I cannot set that since its the webpack plugin calling sentry-cli underneath the hood.

I do have debug: true on the webpack plugin though, also tried SENTRY_LOG_LEVEL="DEBUG"... both of which didnt seem to expand on this error.

If it helps, my feeling is this is a combination of not configuring the github action correctly + not being able to turn off the SSL verification python requests package (which shouldnt be needed but would probably get me pass this issue)

...I've also tried setting REQUESTS_CA_BUNDLE="" which is documented in the python package to possibly be a way of bypassing SSL verification... no ice :(

@chaffeqa you can see the exact command called by the webpack plugin, so you can easily call it yourself to get direct output

./app/node_modules/@sentry/cli/sentry-cli releases new xxxxxxxxx --log-level=DEBUG

(you can also find the binary under ./node_modules/.bin/sentry-cli)

correct I can see that in the output, but once again this is being called via https://github.com/getsentry/sentry-webpack-plugin which means I do not have access to modify that call.

Regardless of turning on debug logging, do you know where I should go (which repository) to solve this issue?

FYI I'm going to dive into the internals of https://github.com/getsentry/sentry-webpack-plugin and see if i can trick it to pass through the log-level option (since it seems like thedebug option there doesnt seem to trigger calling sentry-cli with log-level=DEBUG)

Webpack plugin won't give you any more data than the sentry-cli itself will. We need to see the debug output of the CLi, as it'll most likely explain what's wrong with the SSL certificate. Thus you can skip the webpack plugin for now.

correct, but the webpack plugin is the one that invokes sentry-cli (and passes options) so in order to get more info on this I need to trick it to call sentry-cli with SENTRY_LOG_LEVEL=DEBUG

Actually it looks like i may be able to use the properties file to turn on debugging. Going to try that (since sentry-webpack passes that to the cli supposedly)

Yea so while im waiting to see if the properties file will work, i dove into the internals to see how options are passed from webpack to sentry-cli (javascript wrapper) and eventually to the rust binaray (as cmd line options).

apart from the schema white listed options for releases, it looks like the only way to pass options is via environment variables, of which only PROPERTIES_FILE seems to be allowed/passed.

I think adding additional options would be pretty crummy for extendability (maybe JSUT the debug option flipping SENTRY_LOG_LEVEL=debug would be nice?)... so it may be worthwhile, but if the properties file works, then maybe just documenting that as the "correct" approach to providing command line options to sentry-cli under the hood so to speak...

NICE! the properties file worked!

I specified:

[defaults]
project=<redacted>
org=<redacted>
[auth]
token=<redacted>
[log]
level=debug
[http]
verify_ssl=false

Which not only turned on the debug log level for sentry-cli but verify_ssl option seemed to fix the SSL error I was having.

I'm going to remove that and see if the debug output catches the original SSL error and pass that on to you.

```Error: Command failed: /app/node_modules/@sentry/cli/sentry-cli releases new 8b0b365431a9483bad90fae7f85c4e3731dfda98
INFO 2020-02-25 08:34:09.610539375 -05:00 Loaded config from /app/.sentryclirc
DEBUG 2020-02-25 08:34:09.610672477 -05:00 sentry-cli version: 1.49.0, platform: "linux", architecture: "x86_64"
INFO 2020-02-25 08:34:09.610689078 -05:00 sentry-cli was invoked with the following command line: "/app/node_modules/@sentry/cli/sentry-cli" "releases" "new" "8b0b365431a9483bad90fae7f85c4e3731dfda98"
DEBUG 2020-02-25 08:34:09.622086406 -05:00 request POST https://sentry.io/api/0/projects///releases/
DEBUG 2020-02-25 08:34:09.622117907 -05:00 using token authentication
DEBUG 2020-02-25 08:34:09.622547515 -05:00 json body: {"version":"8b0b365431a9483bad90fae7f85c4e3731dfda98","projects":[""],"dateStarted":"2020-02-25T13:34:09.621982604Z"}
DEBUG 2020-02-25 08:34:09.622567416 -05:00 retry number 0, max retries: 0
DEBUG 2020-02-25 08:34:09.809552161 -05:00 error: running update nagger
DEBUG 2020-02-25 08:34:09.809589062 -05:00 skipping update nagger because session is not attended
error: API request failed
caused by: [60] SSL peer certificate or SSH remote key was not OK
DEBUG 2020-02-25 08:34:09.813171234 -05:00 client close; no transport to shut down (from sentry)

at ChildProcess.exithandler (child_process.js:303:12)
at ChildProcess.emit (events.js:311:20)
at maybeClose (internal/child_process.js:1021:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5) {

killed: false,
code: 1,
signal: null,
cmd: '/app/node_modules/@sentry/cli/sentry-cli releases new 8b0b365431a9483bad90fae7f85c4e3731dfda98'
}
```

鈽濓笍 that is with http.no_verify=true ... clearly not very useful 馃槥 however I was doubting it would be that useful since this is a network protocol specific issue. I wonder if github actions needs to have CA certs updated or something... open to suggestions, but at least I have a reproducible case (and workaround using http.no_verify=false)

You can also try to set CURLOPT_VERBOSE=1 env variable to get more direct output from curl library.
Also, make sure that you are using correct sentry token that has required permissions. More detials on it here - https://blog.sentry.io/2019/12/17/using-github-actions-to-create-sentry-releases

ah so it IS using curl under the hood! I was wondering if that was so!

I'll try that out, FYI the auth token has all the valid permissions, and is working fine as long as SSL verification is ignored.

Closing the issue, as it seems like the original issue has been partially resolved or there is a working solution. Please do not hesitate to ping me if it is still relevant, and I will happily reopen and work on it.
Cheers!

Hi! We have the same error message when running sentry-cli in Google Cloud Build to upload source maps.

@fallard84 did you try this approach? https://github.com/getsentry/sentry-cli/issues/666#issuecomment-590866616
If not, then can you provide some debug log (mentioned in the comments above)?

The issue was that curl was not available for sentry-cli to use. The error could be more explicit I guess :) We installed curl and the issue was resolved.

@fallard84 that's odd, as we use statically linked curl, which is bundled with rust crate we use. Is this the newest cli version? If so, what was the environment?

Hello, SO is this is known issue with the new version of the client ?

I am using the cli in a bitbucket pipeline for months now and today this happened. I do not want to set the verify_ssl value to false because even in the doc I read about being very careful with this option (it makes sense). Curl should be available in my environment, as I am running in a docker container and the image I am using is using curl... It's very weird

Hello, SO is this is known issue with the new version of the client ?

Not that I know of. Wasn't able to reproduce it so far.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

alexregier picture alexregier  路  4Comments

ValentinH picture ValentinH  路  3Comments

AvailCat picture AvailCat  路  4Comments

tim-lucida picture tim-lucida  路  5Comments

BioPhoton picture BioPhoton  路  3Comments