All of lore.kernel.org
 help / color / mirror / Atom feed
* Working behind a Palo Alto firewall/proxy
@ 2017-09-06 21:42 Greg Wilson-Lindberg
  2017-09-07  1:34 ` Andre McCurdy
  0 siblings, 1 reply; 7+ messages in thread
From: Greg Wilson-Lindberg @ 2017-09-06 21:42 UTC (permalink / raw)
  To: yocto

[-- Attachment #1: Type: text/plain, Size: 723 bytes --]

Hi List,
Does anybody have any experience trying to run Yocto behind a Palo Alto firewall. The Palo Alto firewall basically works as a Man in the Middle system, it hands out its own certificate to boxes behind it and then decrypts and re-encrypts traffic going through it. The Palo Alto box is supposed to act as a transparent Proxy.

I'm getting an error that the 'server certificate verification failed' about an hour into a yocto build. The certificate that the Palo Alto box is sending to my system is self-signed so will fail if checked for a valid root CA, and also is not from whatever site is being downloaded from.

Any suggestions would be appreciated.

Greg Wilson-Lindberg
Sakura Finetek
310-783-5075

[-- Attachment #2: Type: text/html, Size: 3124 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy
  2017-09-06 21:42 Working behind a Palo Alto firewall/proxy Greg Wilson-Lindberg
@ 2017-09-07  1:34 ` Andre McCurdy
  2017-09-07 16:28   ` Greg Wilson-Lindberg
  0 siblings, 1 reply; 7+ messages in thread
From: Andre McCurdy @ 2017-09-07  1:34 UTC (permalink / raw)
  To: Greg Wilson-Lindberg; +Cc: yocto

On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg
<GWilson@sakuraus.com> wrote:
> Hi List,
>
> Does anybody have any experience trying to run Yocto behind a Palo Alto
> firewall. The Palo Alto firewall basically works as a Man in the Middle
> system, it hands out its own certificate to boxes behind it and then
> decrypts and re-encrypts traffic going through it. The Palo Alto box is
> supposed to act as a transparent Proxy.
>
> I'm getting an error that the 'server certificate verification failed' about
> an hour into a yocto build. The certificate that the Palo Alto box is
> sending to my system is self-signed so will fail if checked for a valid root
> CA, and also is not from whatever site is being downloaded from.

Which site is being downloaded from and at which point in the build
(ie which recipe and task) ?


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy
  2017-09-07  1:34 ` Andre McCurdy
@ 2017-09-07 16:28   ` Greg Wilson-Lindberg
  2017-09-07 16:31     ` Mark Hatle
  0 siblings, 1 reply; 7+ messages in thread
From: Greg Wilson-Lindberg @ 2017-09-07 16:28 UTC (permalink / raw)
  To: Andre McCurdy; +Cc: yocto

[-- Attachment #1: Type: text/plain, Size: 4027 bytes --]

Hi Andre,


Here is the complete error output:

ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher failure: Fetch command export DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-9ReQWXYEk1"; export SSH_AUTH_SOCK="/run/user/1000/keyring-4PGABB/ssh"; export PATH="/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin/arm-poky-linux-gnueabi:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/raspberrypi3/usr/bin/crossscripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gwilson/TEE:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.34/bin:/home/gwilson/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin"; export HOME="/home/gwilson"; LANG=C git -c core.fsyncobjectfiles=0 clone --bare --mirror http://codereview.qt-project.org/qt/qtdeviceutilities /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities --progress failed with exit code 128, output:
Cloning into bare repository '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities'...
fatal: unable to access 'https://codereview.qt-project.org/qt/qtdeviceutilities/': server certificate verification failed. CAfile: /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile: none

ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher failure for URL: 'git://codereview.qt-project.org/qt/qtdeviceutilities;nobranch=1;protocol=http'. Unable to fetch URL from any source.
ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Function failed: base_do_fetch
ERROR: Logfile of failure stored in: /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/work/cortexa7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTOINC+48fb704e64-r0/temp/log.do_fetch.8128
ERROR: Task (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes-qt/qt5/qtdeviceutilities.bb:do_fetch) failed with exit code '1'

So it looks like:

qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch

is what's running.



________________________________
From: Andre McCurdy <armccurdy@gmail.com>
Sent: Wednesday, September 6, 2017 6:34:07 PM
To: Greg Wilson-Lindberg
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] Working behind a Palo Alto firewall/proxy

On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg
<GWilson@sakuraus.com> wrote:
> Hi List,
>
> Does anybody have any experience trying to run Yocto behind a Palo Alto
> firewall. The Palo Alto firewall basically works as a Man in the Middle
> system, it hands out its own certificate to boxes behind it and then
> decrypts and re-encrypts traffic going through it. The Palo Alto box is
> supposed to act as a transparent Proxy.
>
> I'm getting an error that the 'server certificate verification failed' about
> an hour into a yocto build. The certificate that the Palo Alto box is
> sending to my system is self-signed so will fail if checked for a valid root
> CA, and also is not from whatever site is being downloaded from.

Which site is being downloaded from and at which point in the build
(ie which recipe and task) ?

[-- Attachment #2: Type: text/html, Size: 6012 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy
  2017-09-07 16:28   ` Greg Wilson-Lindberg
@ 2017-09-07 16:31     ` Mark Hatle
  2017-09-07 16:47       ` Greg Wilson-Lindberg
  2017-09-07 16:51       ` Khem Raj
  0 siblings, 2 replies; 7+ messages in thread
From: Mark Hatle @ 2017-09-07 16:31 UTC (permalink / raw)
  To: Greg Wilson-Lindberg, Andre McCurdy; +Cc: yocto

I've had a customer with a similar problem.  The way they resolved it was to
download the certification from their proxy and add it to their system as a
known certificate.

Sorry I don't have any more details then that, but maybe that can spark someone
who knows the actual steps to be able to comment.

--Mark

On 9/7/17 11:28 AM, Greg Wilson-Lindberg wrote:
> Hi Andre,
> 
> 
> Here is the complete error output:
> 
> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher
> failure: Fetch command export
> DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-9ReQWXYEk1"; export
> SSH_AUTH_SOCK="/run/user/1000/keyring-4PGABB/ssh"; export
> PATH="/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin/arm-poky-linux-gnueabi:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/raspberrypi3/usr/bin/crossscripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gwilson/TEE:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.34/bin:/home/gwilson/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin";
> export HOME="/home/gwilson"; LANG=C git -c core.fsyncobjectfiles=0 clone --bare
> --mirror http://codereview.qt-project.org/qt/qtdeviceutilities
> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities
> --progress failed with exit code 128, output:
> Cloning into bare repository
> '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities'...
> fatal: unable to access
> 'https://codereview.qt-project.org/qt/qtdeviceutilities/': server certificate
> verification failed. CAfile:
> /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile: none
> 
> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher
> failure for URL:
> 'git://codereview.qt-project.org/qt/qtdeviceutilities;nobranch=1;protocol=http'.
> Unable to fetch URL from any source.
> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Function
> failed: base_do_fetch
> ERROR: Logfile of failure stored in:
> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/work/cortexa7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTOINC+48fb704e64-r0/temp/log.do_fetch.8128
> ERROR: Task
> (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes-qt/qt5/qtdeviceutilities.bb:do_fetch)
> failed with exit code '1'
> 
> So it looks like:
> 
> qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch
> 
> is what's running.
> 
> 
> 
> --------------------------------------------------------------------------------
> *From:* Andre McCurdy <armccurdy@gmail.com>
> *Sent:* Wednesday, September 6, 2017 6:34:07 PM
> *To:* Greg Wilson-Lindberg
> *Cc:* yocto@yoctoproject.org
> *Subject:* Re: [yocto] Working behind a Palo Alto firewall/proxy
>  
> On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg
> <GWilson@sakuraus.com> wrote:
>> Hi List,
>>
>> Does anybody have any experience trying to run Yocto behind a Palo Alto
>> firewall. The Palo Alto firewall basically works as a Man in the Middle
>> system, it hands out its own certificate to boxes behind it and then
>> decrypts and re-encrypts traffic going through it. The Palo Alto box is
>> supposed to act as a transparent Proxy.
>>
>> I'm getting an error that the 'server certificate verification failed' about
>> an hour into a yocto build. The certificate that the Palo Alto box is
>> sending to my system is self-signed so will fail if checked for a valid root
>> CA, and also is not from whatever site is being downloaded from.
> 
> Which site is being downloaded from and at which point in the build
> (ie which recipe and task) ?
> 
> 


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy
  2017-09-07 16:31     ` Mark Hatle
@ 2017-09-07 16:47       ` Greg Wilson-Lindberg
  2017-09-07 16:51       ` Khem Raj
  1 sibling, 0 replies; 7+ messages in thread
From: Greg Wilson-Lindberg @ 2017-09-07 16:47 UTC (permalink / raw)
  To: Mark Hatle, Andre McCurdy; +Cc: yocto

[-- Attachment #1: Type: text/plain, Size: 4989 bytes --]

Hi Mark,


Unfortunately, in this case the certificate has already been added to the system, necessary to get https working.


Greg

________________________________
From: Mark Hatle <mark.hatle@windriver.com>
Sent: Thursday, September 7, 2017 9:31:02 AM
To: Greg Wilson-Lindberg; Andre McCurdy
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] Working behind a Palo Alto firewall/proxy

I've had a customer with a similar problem.  The way they resolved it was to
download the certification from their proxy and add it to their system as a
known certificate.

Sorry I don't have any more details then that, but maybe that can spark someone
who knows the actual steps to be able to comment.

--Mark

On 9/7/17 11:28 AM, Greg Wilson-Lindberg wrote:
> Hi Andre,
>
>
> Here is the complete error output:
>
> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher
> failure: Fetch command export
> DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-9ReQWXYEk1"; export
> SSH_AUTH_SOCK="/run/user/1000/keyring-4PGABB/ssh"; export
> PATH="/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin/arm-poky-linux-gnueabi:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/raspberrypi3/usr/bin/crossscripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gwilson/TEE:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.34/bin:/home/gwilson/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin";
> export HOME="/home/gwilson"; LANG=C git -c core.fsyncobjectfiles=0 clone --bare
> --mirror http://codereview.qt-project.org/qt/qtdeviceutilities
> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities
> --progress failed with exit code 128, output:
> Cloning into bare repository
> '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities'...
> fatal: unable to access
> 'https://codereview.qt-project.org/qt/qtdeviceutilities/': server certificate
> verification failed. CAfile:
> /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile: none
>
> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher
> failure for URL:
> 'git://codereview.qt-project.org/qt/qtdeviceutilities;nobranch=1;protocol=http'.
> Unable to fetch URL from any source.
> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Function
> failed: base_do_fetch
> ERROR: Logfile of failure stored in:
> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/work/cortexa7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTOINC+48fb704e64-r0/temp/log.do_fetch.8128
> ERROR: Task
> (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes-qt/qt5/qtdeviceutilities.bb:do_fetch)
> failed with exit code '1'
>
> So it looks like:
>
> qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch
>
> is what's running.
>
>
>
> --------------------------------------------------------------------------------
> *From:* Andre McCurdy <armccurdy@gmail.com>
> *Sent:* Wednesday, September 6, 2017 6:34:07 PM
> *To:* Greg Wilson-Lindberg
> *Cc:* yocto@yoctoproject.org
> *Subject:* Re: [yocto] Working behind a Palo Alto firewall/proxy
>
> On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg
> <GWilson@sakuraus.com> wrote:
>> Hi List,
>>
>> Does anybody have any experience trying to run Yocto behind a Palo Alto
>> firewall. The Palo Alto firewall basically works as a Man in the Middle
>> system, it hands out its own certificate to boxes behind it and then
>> decrypts and re-encrypts traffic going through it. The Palo Alto box is
>> supposed to act as a transparent Proxy.
>>
>> I'm getting an error that the 'server certificate verification failed' about
>> an hour into a yocto build. The certificate that the Palo Alto box is
>> sending to my system is self-signed so will fail if checked for a valid root
>> CA, and also is not from whatever site is being downloaded from.
>
> Which site is being downloaded from and at which point in the build
> (ie which recipe and task) ?
>
>


[-- Attachment #2: Type: text/html, Size: 6768 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy
  2017-09-07 16:31     ` Mark Hatle
  2017-09-07 16:47       ` Greg Wilson-Lindberg
@ 2017-09-07 16:51       ` Khem Raj
  2017-09-07 17:09         ` Greg Wilson-Lindberg
  1 sibling, 1 reply; 7+ messages in thread
From: Khem Raj @ 2017-09-07 16:51 UTC (permalink / raw)
  To: Mark Hatle; +Cc: yocto

you can try adding following to ~/.gitconfig

[http]
        sslverify = false

On Thu, Sep 7, 2017 at 9:31 AM, Mark Hatle <mark.hatle@windriver.com> wrote:
> I've had a customer with a similar problem.  The way they resolved it was to
> download the certification from their proxy and add it to their system as a
> known certificate.
>
> Sorry I don't have any more details then that, but maybe that can spark someone
> who knows the actual steps to be able to comment.
>
> --Mark
>
> On 9/7/17 11:28 AM, Greg Wilson-Lindberg wrote:
>> Hi Andre,
>>
>>
>> Here is the complete error output:
>>
>> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher
>> failure: Fetch command export
>> DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-9ReQWXYEk1"; export
>> SSH_AUTH_SOCK="/run/user/1000/keyring-4PGABB/ssh"; export
>> PATH="/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin/arm-poky-linux-gnueabi:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/raspberrypi3/usr/bin/crossscripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gwilson/TEE:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.34/bin:/home/gwilson/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin";
>> export HOME="/home/gwilson"; LANG=C git -c core.fsyncobjectfiles=0 clone --bare
>> --mirror http://codereview.qt-project.org/qt/qtdeviceutilities
>> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities
>> --progress failed with exit code 128, output:
>> Cloning into bare repository
>> '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities'...
>> fatal: unable to access
>> 'https://codereview.qt-project.org/qt/qtdeviceutilities/': server certificate
>> verification failed. CAfile:
>> /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile: none
>>
>> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher
>> failure for URL:
>> 'git://codereview.qt-project.org/qt/qtdeviceutilities;nobranch=1;protocol=http'.
>> Unable to fetch URL from any source.
>> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Function
>> failed: base_do_fetch
>> ERROR: Logfile of failure stored in:
>> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/work/cortexa7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTOINC+48fb704e64-r0/temp/log.do_fetch.8128
>> ERROR: Task
>> (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes-qt/qt5/qtdeviceutilities.bb:do_fetch)
>> failed with exit code '1'
>>
>> So it looks like:
>>
>> qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch
>>
>> is what's running.
>>
>>
>>
>> --------------------------------------------------------------------------------
>> *From:* Andre McCurdy <armccurdy@gmail.com>
>> *Sent:* Wednesday, September 6, 2017 6:34:07 PM
>> *To:* Greg Wilson-Lindberg
>> *Cc:* yocto@yoctoproject.org
>> *Subject:* Re: [yocto] Working behind a Palo Alto firewall/proxy
>>
>> On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg
>> <GWilson@sakuraus.com> wrote:
>>> Hi List,
>>>
>>> Does anybody have any experience trying to run Yocto behind a Palo Alto
>>> firewall. The Palo Alto firewall basically works as a Man in the Middle
>>> system, it hands out its own certificate to boxes behind it and then
>>> decrypts and re-encrypts traffic going through it. The Palo Alto box is
>>> supposed to act as a transparent Proxy.
>>>
>>> I'm getting an error that the 'server certificate verification failed' about
>>> an hour into a yocto build. The certificate that the Palo Alto box is
>>> sending to my system is self-signed so will fail if checked for a valid root
>>> CA, and also is not from whatever site is being downloaded from.
>>
>> Which site is being downloaded from and at which point in the build
>> (ie which recipe and task) ?
>>
>>
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto


^ permalink raw reply	[flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy
  2017-09-07 16:51       ` Khem Raj
@ 2017-09-07 17:09         ` Greg Wilson-Lindberg
  0 siblings, 0 replies; 7+ messages in thread
From: Greg Wilson-Lindberg @ 2017-09-07 17:09 UTC (permalink / raw)
  To: Khem Raj, Mark Hatle; +Cc: yocto

That did the trick,
Thanks,
Greg

> -----Original Message-----
> From: Khem Raj [mailto:raj.khem@gmail.com]
> Sent: Thursday, September 07, 2017 9:52 AM
> To: Mark Hatle <mark.hatle@windriver.com>
> Cc: Greg Wilson-Lindberg <GWilson@sakuraus.com>; Andre McCurdy
> <armccurdy@gmail.com>; yocto@yoctoproject.org
> Subject: Re: [yocto] Working behind a Palo Alto firewall/proxy
> 
> you can try adding following to ~/.gitconfig
> 
> [http]
>         sslverify = false
> 
> On Thu, Sep 7, 2017 at 9:31 AM, Mark Hatle <mark.hatle@windriver.com>
> wrote:
> > I've had a customer with a similar problem.  The way they resolved it
> > was to download the certification from their proxy and add it to their
> > system as a known certificate.
> >
> > Sorry I don't have any more details then that, but maybe that can
> > spark someone who knows the actual steps to be able to comment.
> >
> > --Mark
> >
> > On 9/7/17 11:28 AM, Greg Wilson-Lindberg wrote:
> >> Hi Andre,
> >>
> >>
> >> Here is the complete error output:
> >>
> >> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch:
> >> Fetcher
> >> failure: Fetch command export
> >> DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-
> 9ReQWXYEk1"; export
> >> SSH_AUTH_SOCK="/run/user/1000/keyring-4PGABB/ssh"; export
> >> PATH="/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-
> raspberrypi3/tmp/sy
> >> sroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/bui
> >> ld-raspberrypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwi
> >> lson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.
> >> 9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/b
> >> in/arm-poky-linux-gnueabi:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build
> >> -raspberrypi3/tmp/sysroots/raspberrypi3/usr/bin/crossscripts:/home/gw
> >> ilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-
> >> linux/usr/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberryp
> >> i3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build
> >> -RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/sbin:/home/gwilson
> >> /Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux
> >> /bin:/home/gwilson/Qt-5.9/Yocto-build-
> RPi3/sources/poky/scripts:/home
> >> /gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gwils
> >> on/TEE:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/us
> >> r/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.3
> >> 4/bin:/home/gwilson/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux-
> gnuea
> >> bihf-raspbian-x64/bin"; export HOME="/home/gwilson"; LANG=C git -c
> >> core.fsyncobjectfiles=0 clone --bare --mirror
> >> http://codereview.qt-project.org/qt/qtdeviceutilities
> >> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads
> >> /git2/codereview.qt-project.org.qt.qtdeviceutilities
> >> --progress failed with exit code 128, output:
> >> Cloning into bare repository
> >> '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-
> raspberrypi3/../downloads/git2/codereview.qt-
> project.org.qt.qtdeviceutilities'...
> >> fatal: unable to access
> >> 'https://codereview.qt-project.org/qt/qtdeviceutilities/': server
> >> certificate verification failed. CAfile:
> >> /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile:
> >> none
> >>
> >> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch:
> >> Fetcher failure for URL:
> >> 'git://codereview.qt-
> project.org/qt/qtdeviceutilities;nobranch=1;protocol=http'.
> >> Unable to fetch URL from any source.
> >> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch:
> >> Function
> >> failed: base_do_fetch
> >> ERROR: Logfile of failure stored in:
> >> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-
> raspberrypi3/tmp/work/cor
> >> texa7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTO
> >> INC+48fb704e64-r0/temp/log.do_fetch.8128
> >> ERROR: Task
> >> (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes-
> q
> >> t/qt5/qtdeviceutilities.bb:do_fetch)
> >> failed with exit code '1'
> >>
> >> So it looks like:
> >>
> >> qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch
> >>
> >> is what's running.
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> -----------
> >> *From:* Andre McCurdy <armccurdy@gmail.com>
> >> *Sent:* Wednesday, September 6, 2017 6:34:07 PM
> >> *To:* Greg Wilson-Lindberg
> >> *Cc:* yocto@yoctoproject.org
> >> *Subject:* Re: [yocto] Working behind a Palo Alto firewall/proxy
> >>
> >> On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg
> >> <GWilson@sakuraus.com> wrote:
> >>> Hi List,
> >>>
> >>> Does anybody have any experience trying to run Yocto behind a Palo
> >>> Alto firewall. The Palo Alto firewall basically works as a Man in
> >>> the Middle system, it hands out its own certificate to boxes behind
> >>> it and then decrypts and re-encrypts traffic going through it. The
> >>> Palo Alto box is supposed to act as a transparent Proxy.
> >>>
> >>> I'm getting an error that the 'server certificate verification
> >>> failed' about an hour into a yocto build. The certificate that the
> >>> Palo Alto box is sending to my system is self-signed so will fail if
> >>> checked for a valid root CA, and also is not from whatever site is being
> downloaded from.
> >>
> >> Which site is being downloaded from and at which point in the build
> >> (ie which recipe and task) ?
> >>
> >>
> >
> > --
> > _______________________________________________
> > yocto mailing list
> > yocto@yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/yocto

^ permalink raw reply	[flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-09-07 17:09 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-09-06 21:42 Working behind a Palo Alto firewall/proxy Greg Wilson-Lindberg
2017-09-07  1:34 ` Andre McCurdy
2017-09-07 16:28   ` Greg Wilson-Lindberg
2017-09-07 16:31     ` Mark Hatle
2017-09-07 16:47       ` Greg Wilson-Lindberg
2017-09-07 16:51       ` Khem Raj
2017-09-07 17:09         ` Greg Wilson-Lindberg

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.