* Working behind a Palo Alto firewall/proxy @ 2017-09-06 21:42 Greg Wilson-Lindberg 2017-09-07 1:34 ` Andre McCurdy 0 siblings, 1 reply; 7+ messages in thread From: Greg Wilson-Lindberg @ 2017-09-06 21:42 UTC (permalink / raw) To: yocto [-- Attachment #1: Type: text/plain, Size: 723 bytes --] Hi List, Does anybody have any experience trying to run Yocto behind a Palo Alto firewall. The Palo Alto firewall basically works as a Man in the Middle system, it hands out its own certificate to boxes behind it and then decrypts and re-encrypts traffic going through it. The Palo Alto box is supposed to act as a transparent Proxy. I'm getting an error that the 'server certificate verification failed' about an hour into a yocto build. The certificate that the Palo Alto box is sending to my system is self-signed so will fail if checked for a valid root CA, and also is not from whatever site is being downloaded from. Any suggestions would be appreciated. Greg Wilson-Lindberg Sakura Finetek 310-783-5075 [-- Attachment #2: Type: text/html, Size: 3124 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy 2017-09-06 21:42 Working behind a Palo Alto firewall/proxy Greg Wilson-Lindberg @ 2017-09-07 1:34 ` Andre McCurdy 2017-09-07 16:28 ` Greg Wilson-Lindberg 0 siblings, 1 reply; 7+ messages in thread From: Andre McCurdy @ 2017-09-07 1:34 UTC (permalink / raw) To: Greg Wilson-Lindberg; +Cc: yocto On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg <GWilson@sakuraus.com> wrote: > Hi List, > > Does anybody have any experience trying to run Yocto behind a Palo Alto > firewall. The Palo Alto firewall basically works as a Man in the Middle > system, it hands out its own certificate to boxes behind it and then > decrypts and re-encrypts traffic going through it. The Palo Alto box is > supposed to act as a transparent Proxy. > > I'm getting an error that the 'server certificate verification failed' about > an hour into a yocto build. The certificate that the Palo Alto box is > sending to my system is self-signed so will fail if checked for a valid root > CA, and also is not from whatever site is being downloaded from. Which site is being downloaded from and at which point in the build (ie which recipe and task) ? ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy 2017-09-07 1:34 ` Andre McCurdy @ 2017-09-07 16:28 ` Greg Wilson-Lindberg 2017-09-07 16:31 ` Mark Hatle 0 siblings, 1 reply; 7+ messages in thread From: Greg Wilson-Lindberg @ 2017-09-07 16:28 UTC (permalink / raw) To: Andre McCurdy; +Cc: yocto [-- Attachment #1: Type: text/plain, Size: 4027 bytes --] Hi Andre, Here is the complete error output: ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher failure: Fetch command export DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-9ReQWXYEk1"; export SSH_AUTH_SOCK="/run/user/1000/keyring-4PGABB/ssh"; export PATH="/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin/arm-poky-linux-gnueabi:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/raspberrypi3/usr/bin/crossscripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gwilson/TEE:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.34/bin:/home/gwilson/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin"; export HOME="/home/gwilson"; LANG=C git -c core.fsyncobjectfiles=0 clone --bare --mirror http://codereview.qt-project.org/qt/qtdeviceutilities /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities --progress failed with exit code 128, output: Cloning into bare repository '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities'... fatal: unable to access 'https://codereview.qt-project.org/qt/qtdeviceutilities/': server certificate verification failed. CAfile: /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile: none ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher failure for URL: 'git://codereview.qt-project.org/qt/qtdeviceutilities;nobranch=1;protocol=http'. Unable to fetch URL from any source. ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Function failed: base_do_fetch ERROR: Logfile of failure stored in: /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/work/cortexa7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTOINC+48fb704e64-r0/temp/log.do_fetch.8128 ERROR: Task (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes-qt/qt5/qtdeviceutilities.bb:do_fetch) failed with exit code '1' So it looks like: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch is what's running. ________________________________ From: Andre McCurdy <armccurdy@gmail.com> Sent: Wednesday, September 6, 2017 6:34:07 PM To: Greg Wilson-Lindberg Cc: yocto@yoctoproject.org Subject: Re: [yocto] Working behind a Palo Alto firewall/proxy On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg <GWilson@sakuraus.com> wrote: > Hi List, > > Does anybody have any experience trying to run Yocto behind a Palo Alto > firewall. The Palo Alto firewall basically works as a Man in the Middle > system, it hands out its own certificate to boxes behind it and then > decrypts and re-encrypts traffic going through it. The Palo Alto box is > supposed to act as a transparent Proxy. > > I'm getting an error that the 'server certificate verification failed' about > an hour into a yocto build. The certificate that the Palo Alto box is > sending to my system is self-signed so will fail if checked for a valid root > CA, and also is not from whatever site is being downloaded from. Which site is being downloaded from and at which point in the build (ie which recipe and task) ? [-- Attachment #2: Type: text/html, Size: 6012 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy 2017-09-07 16:28 ` Greg Wilson-Lindberg @ 2017-09-07 16:31 ` Mark Hatle 2017-09-07 16:47 ` Greg Wilson-Lindberg 2017-09-07 16:51 ` Khem Raj 0 siblings, 2 replies; 7+ messages in thread From: Mark Hatle @ 2017-09-07 16:31 UTC (permalink / raw) To: Greg Wilson-Lindberg, Andre McCurdy; +Cc: yocto I've had a customer with a similar problem. The way they resolved it was to download the certification from their proxy and add it to their system as a known certificate. Sorry I don't have any more details then that, but maybe that can spark someone who knows the actual steps to be able to comment. --Mark On 9/7/17 11:28 AM, Greg Wilson-Lindberg wrote: > Hi Andre, > > > Here is the complete error output: > > ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher > failure: Fetch command export > DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-9ReQWXYEk1"; export > SSH_AUTH_SOCK="/run/user/1000/keyring-4PGABB/ssh"; export > PATH="/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin/arm-poky-linux-gnueabi:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/raspberrypi3/usr/bin/crossscripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gwilson/TEE:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.34/bin:/home/gwilson/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin"; > export HOME="/home/gwilson"; LANG=C git -c core.fsyncobjectfiles=0 clone --bare > --mirror http://codereview.qt-project.org/qt/qtdeviceutilities > /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities > --progress failed with exit code 128, output: > Cloning into bare repository > '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities'... > fatal: unable to access > 'https://codereview.qt-project.org/qt/qtdeviceutilities/': server certificate > verification failed. CAfile: > /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile: none > > ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher > failure for URL: > 'git://codereview.qt-project.org/qt/qtdeviceutilities;nobranch=1;protocol=http'. > Unable to fetch URL from any source. > ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Function > failed: base_do_fetch > ERROR: Logfile of failure stored in: > /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/work/cortexa7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTOINC+48fb704e64-r0/temp/log.do_fetch.8128 > ERROR: Task > (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes-qt/qt5/qtdeviceutilities.bb:do_fetch) > failed with exit code '1' > > So it looks like: > > qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch > > is what's running. > > > > -------------------------------------------------------------------------------- > *From:* Andre McCurdy <armccurdy@gmail.com> > *Sent:* Wednesday, September 6, 2017 6:34:07 PM > *To:* Greg Wilson-Lindberg > *Cc:* yocto@yoctoproject.org > *Subject:* Re: [yocto] Working behind a Palo Alto firewall/proxy > > On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg > <GWilson@sakuraus.com> wrote: >> Hi List, >> >> Does anybody have any experience trying to run Yocto behind a Palo Alto >> firewall. The Palo Alto firewall basically works as a Man in the Middle >> system, it hands out its own certificate to boxes behind it and then >> decrypts and re-encrypts traffic going through it. The Palo Alto box is >> supposed to act as a transparent Proxy. >> >> I'm getting an error that the 'server certificate verification failed' about >> an hour into a yocto build. The certificate that the Palo Alto box is >> sending to my system is self-signed so will fail if checked for a valid root >> CA, and also is not from whatever site is being downloaded from. > > Which site is being downloaded from and at which point in the build > (ie which recipe and task) ? > > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy 2017-09-07 16:31 ` Mark Hatle @ 2017-09-07 16:47 ` Greg Wilson-Lindberg 2017-09-07 16:51 ` Khem Raj 1 sibling, 0 replies; 7+ messages in thread From: Greg Wilson-Lindberg @ 2017-09-07 16:47 UTC (permalink / raw) To: Mark Hatle, Andre McCurdy; +Cc: yocto [-- Attachment #1: Type: text/plain, Size: 4989 bytes --] Hi Mark, Unfortunately, in this case the certificate has already been added to the system, necessary to get https working. Greg ________________________________ From: Mark Hatle <mark.hatle@windriver.com> Sent: Thursday, September 7, 2017 9:31:02 AM To: Greg Wilson-Lindberg; Andre McCurdy Cc: yocto@yoctoproject.org Subject: Re: [yocto] Working behind a Palo Alto firewall/proxy I've had a customer with a similar problem. The way they resolved it was to download the certification from their proxy and add it to their system as a known certificate. Sorry I don't have any more details then that, but maybe that can spark someone who knows the actual steps to be able to comment. --Mark On 9/7/17 11:28 AM, Greg Wilson-Lindberg wrote: > Hi Andre, > > > Here is the complete error output: > > ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher > failure: Fetch command export > DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-9ReQWXYEk1"; export > SSH_AUTH_SOCK="/run/user/1000/keyring-4PGABB/ssh"; export > PATH="/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin/arm-poky-linux-gnueabi:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/raspberrypi3/usr/bin/crossscripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gwilson/TEE:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.34/bin:/home/gwilson/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin"; > export HOME="/home/gwilson"; LANG=C git -c core.fsyncobjectfiles=0 clone --bare > --mirror http://codereview.qt-project.org/qt/qtdeviceutilities > /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities > --progress failed with exit code 128, output: > Cloning into bare repository > '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities'... > fatal: unable to access > 'https://codereview.qt-project.org/qt/qtdeviceutilities/': server certificate > verification failed. CAfile: > /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile: none > > ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher > failure for URL: > 'git://codereview.qt-project.org/qt/qtdeviceutilities;nobranch=1;protocol=http'. > Unable to fetch URL from any source. > ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Function > failed: base_do_fetch > ERROR: Logfile of failure stored in: > /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/work/cortexa7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTOINC+48fb704e64-r0/temp/log.do_fetch.8128 > ERROR: Task > (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes-qt/qt5/qtdeviceutilities.bb:do_fetch) > failed with exit code '1' > > So it looks like: > > qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch > > is what's running. > > > > -------------------------------------------------------------------------------- > *From:* Andre McCurdy <armccurdy@gmail.com> > *Sent:* Wednesday, September 6, 2017 6:34:07 PM > *To:* Greg Wilson-Lindberg > *Cc:* yocto@yoctoproject.org > *Subject:* Re: [yocto] Working behind a Palo Alto firewall/proxy > > On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg > <GWilson@sakuraus.com> wrote: >> Hi List, >> >> Does anybody have any experience trying to run Yocto behind a Palo Alto >> firewall. The Palo Alto firewall basically works as a Man in the Middle >> system, it hands out its own certificate to boxes behind it and then >> decrypts and re-encrypts traffic going through it. The Palo Alto box is >> supposed to act as a transparent Proxy. >> >> I'm getting an error that the 'server certificate verification failed' about >> an hour into a yocto build. The certificate that the Palo Alto box is >> sending to my system is self-signed so will fail if checked for a valid root >> CA, and also is not from whatever site is being downloaded from. > > Which site is being downloaded from and at which point in the build > (ie which recipe and task) ? > > [-- Attachment #2: Type: text/html, Size: 6768 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy 2017-09-07 16:31 ` Mark Hatle 2017-09-07 16:47 ` Greg Wilson-Lindberg @ 2017-09-07 16:51 ` Khem Raj 2017-09-07 17:09 ` Greg Wilson-Lindberg 1 sibling, 1 reply; 7+ messages in thread From: Khem Raj @ 2017-09-07 16:51 UTC (permalink / raw) To: Mark Hatle; +Cc: yocto you can try adding following to ~/.gitconfig [http] sslverify = false On Thu, Sep 7, 2017 at 9:31 AM, Mark Hatle <mark.hatle@windriver.com> wrote: > I've had a customer with a similar problem. The way they resolved it was to > download the certification from their proxy and add it to their system as a > known certificate. > > Sorry I don't have any more details then that, but maybe that can spark someone > who knows the actual steps to be able to comment. > > --Mark > > On 9/7/17 11:28 AM, Greg Wilson-Lindberg wrote: >> Hi Andre, >> >> >> Here is the complete error output: >> >> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher >> failure: Fetch command export >> DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus-9ReQWXYEk1"; export >> SSH_AUTH_SOCK="/run/user/1000/keyring-4PGABB/ssh"; export >> PATH="/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin/arm-poky-linux-gnueabi:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/raspberrypi3/usr/bin/crossscripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gwilson/TEE:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.34/bin:/home/gwilson/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux-gnueabihf-raspbian-x64/bin"; >> export HOME="/home/gwilson"; LANG=C git -c core.fsyncobjectfiles=0 clone --bare >> --mirror http://codereview.qt-project.org/qt/qtdeviceutilities >> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities >> --progress failed with exit code 128, output: >> Cloning into bare repository >> '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads/git2/codereview.qt-project.org.qt.qtdeviceutilities'... >> fatal: unable to access >> 'https://codereview.qt-project.org/qt/qtdeviceutilities/': server certificate >> verification failed. CAfile: >> /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile: none >> >> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Fetcher >> failure for URL: >> 'git://codereview.qt-project.org/qt/qtdeviceutilities;nobranch=1;protocol=http'. >> Unable to fetch URL from any source. >> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: Function >> failed: base_do_fetch >> ERROR: Logfile of failure stored in: >> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/work/cortexa7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTOINC+48fb704e64-r0/temp/log.do_fetch.8128 >> ERROR: Task >> (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes-qt/qt5/qtdeviceutilities.bb:do_fetch) >> failed with exit code '1' >> >> So it looks like: >> >> qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch >> >> is what's running. >> >> >> >> -------------------------------------------------------------------------------- >> *From:* Andre McCurdy <armccurdy@gmail.com> >> *Sent:* Wednesday, September 6, 2017 6:34:07 PM >> *To:* Greg Wilson-Lindberg >> *Cc:* yocto@yoctoproject.org >> *Subject:* Re: [yocto] Working behind a Palo Alto firewall/proxy >> >> On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg >> <GWilson@sakuraus.com> wrote: >>> Hi List, >>> >>> Does anybody have any experience trying to run Yocto behind a Palo Alto >>> firewall. The Palo Alto firewall basically works as a Man in the Middle >>> system, it hands out its own certificate to boxes behind it and then >>> decrypts and re-encrypts traffic going through it. The Palo Alto box is >>> supposed to act as a transparent Proxy. >>> >>> I'm getting an error that the 'server certificate verification failed' about >>> an hour into a yocto build. The certificate that the Palo Alto box is >>> sending to my system is self-signed so will fail if checked for a valid root >>> CA, and also is not from whatever site is being downloaded from. >> >> Which site is being downloaded from and at which point in the build >> (ie which recipe and task) ? >> >> > > -- > _______________________________________________ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Working behind a Palo Alto firewall/proxy 2017-09-07 16:51 ` Khem Raj @ 2017-09-07 17:09 ` Greg Wilson-Lindberg 0 siblings, 0 replies; 7+ messages in thread From: Greg Wilson-Lindberg @ 2017-09-07 17:09 UTC (permalink / raw) To: Khem Raj, Mark Hatle; +Cc: yocto That did the trick, Thanks, Greg > -----Original Message----- > From: Khem Raj [mailto:raj.khem@gmail.com] > Sent: Thursday, September 07, 2017 9:52 AM > To: Mark Hatle <mark.hatle@windriver.com> > Cc: Greg Wilson-Lindberg <GWilson@sakuraus.com>; Andre McCurdy > <armccurdy@gmail.com>; yocto@yoctoproject.org > Subject: Re: [yocto] Working behind a Palo Alto firewall/proxy > > you can try adding following to ~/.gitconfig > > [http] > sslverify = false > > On Thu, Sep 7, 2017 at 9:31 AM, Mark Hatle <mark.hatle@windriver.com> > wrote: > > I've had a customer with a similar problem. The way they resolved it > > was to download the certification from their proxy and add it to their > > system as a known certificate. > > > > Sorry I don't have any more details then that, but maybe that can > > spark someone who knows the actual steps to be able to comment. > > > > --Mark > > > > On 9/7/17 11:28 AM, Greg Wilson-Lindberg wrote: > >> Hi Andre, > >> > >> > >> Here is the complete error output: > >> > >> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: > >> Fetcher > >> failure: Fetch command export > >> DBUS_SESSION_BUS_ADDRESS="unix:abstract=/tmp/dbus- > 9ReQWXYEk1"; export > >> SSH_AUTH_SOCK="/run/user/1000/keyring-4PGABB/ssh"; export > >> PATH="/home/gwilson/Qt-5.9/Yocto-build-RPi3/build- > raspberrypi3/tmp/sy > >> sroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/bui > >> ld-raspberrypi3/tmp/sysroots-uninative/x86_64-linux/usr/bin:/home/gwi > >> lson/Qt-5.9/Yocto-build-RPi3/sources/poky/scripts:/home/gwilson/Qt-5. > >> 9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/usr/b > >> in/arm-poky-linux-gnueabi:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build > >> -raspberrypi3/tmp/sysroots/raspberrypi3/usr/bin/crossscripts:/home/gw > >> ilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64- > >> linux/usr/sbin:/home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberryp > >> i3/tmp/sysroots/x86_64-linux/usr/bin:/home/gwilson/Qt-5.9/Yocto-build > >> -RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux/sbin:/home/gwilson > >> /Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/tmp/sysroots/x86_64-linux > >> /bin:/home/gwilson/Qt-5.9/Yocto-build- > RPi3/sources/poky/scripts:/home > >> /gwilson/Qt-5.9/Yocto-build-RPi3/sources/poky/bitbake/bin:/home/gwils > >> on/TEE:/home/gwilson/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/us > >> r/bin:/sbin:/bin:/usr/games:/usr/local/games:/opt/microchip/xc32/v1.3 > >> 4/bin:/home/gwilson/RPi3/tools/arm-bcm2708/gcc-linaro-arm-linux- > gnuea > >> bihf-raspbian-x64/bin"; export HOME="/home/gwilson"; LANG=C git -c > >> core.fsyncobjectfiles=0 clone --bare --mirror > >> http://codereview.qt-project.org/qt/qtdeviceutilities > >> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build-raspberrypi3/../downloads > >> /git2/codereview.qt-project.org.qt.qtdeviceutilities > >> --progress failed with exit code 128, output: > >> Cloning into bare repository > >> '/home/gwilson/Qt-5.9/Yocto-build-RPi3/build- > raspberrypi3/../downloads/git2/codereview.qt- > project.org.qt.qtdeviceutilities'... > >> fatal: unable to access > >> 'https://codereview.qt-project.org/qt/qtdeviceutilities/': server > >> certificate verification failed. CAfile: > >> /usr/share/ca-certificates/cert_Decryption-Certificate.pem CRLfile: > >> none > >> > >> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: > >> Fetcher failure for URL: > >> 'git://codereview.qt- > project.org/qt/qtdeviceutilities;nobranch=1;protocol=http'. > >> Unable to fetch URL from any source. > >> ERROR: qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch: > >> Function > >> failed: base_do_fetch > >> ERROR: Logfile of failure stored in: > >> /home/gwilson/Qt-5.9/Yocto-build-RPi3/build- > raspberrypi3/tmp/work/cor > >> texa7hf-neon-vfpv4-poky-linux-gnueabi/qtdeviceutilities/5.9.1+gitAUTO > >> INC+48fb704e64-r0/temp/log.do_fetch.8128 > >> ERROR: Task > >> (/home/gwilson/Qt-5.9/Yocto-build-RPi3/sources/meta-boot2qt/recipes- > q > >> t/qt5/qtdeviceutilities.bb:do_fetch) > >> failed with exit code '1' > >> > >> So it looks like: > >> > >> qtdeviceutilities-5.9.1+gitAUTOINC+48fb704e64-r0 do_fetch > >> > >> is what's running. > >> > >> > >> > >> --------------------------------------------------------------------- > >> ----------- > >> *From:* Andre McCurdy <armccurdy@gmail.com> > >> *Sent:* Wednesday, September 6, 2017 6:34:07 PM > >> *To:* Greg Wilson-Lindberg > >> *Cc:* yocto@yoctoproject.org > >> *Subject:* Re: [yocto] Working behind a Palo Alto firewall/proxy > >> > >> On Wed, Sep 6, 2017 at 2:42 PM, Greg Wilson-Lindberg > >> <GWilson@sakuraus.com> wrote: > >>> Hi List, > >>> > >>> Does anybody have any experience trying to run Yocto behind a Palo > >>> Alto firewall. The Palo Alto firewall basically works as a Man in > >>> the Middle system, it hands out its own certificate to boxes behind > >>> it and then decrypts and re-encrypts traffic going through it. The > >>> Palo Alto box is supposed to act as a transparent Proxy. > >>> > >>> I'm getting an error that the 'server certificate verification > >>> failed' about an hour into a yocto build. The certificate that the > >>> Palo Alto box is sending to my system is self-signed so will fail if > >>> checked for a valid root CA, and also is not from whatever site is being > downloaded from. > >> > >> Which site is being downloaded from and at which point in the build > >> (ie which recipe and task) ? > >> > >> > > > > -- > > _______________________________________________ > > yocto mailing list > > yocto@yoctoproject.org > > https://lists.yoctoproject.org/listinfo/yocto ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-09-07 17:09 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-09-06 21:42 Working behind a Palo Alto firewall/proxy Greg Wilson-Lindberg 2017-09-07 1:34 ` Andre McCurdy 2017-09-07 16:28 ` Greg Wilson-Lindberg 2017-09-07 16:31 ` Mark Hatle 2017-09-07 16:47 ` Greg Wilson-Lindberg 2017-09-07 16:51 ` Khem Raj 2017-09-07 17:09 ` Greg Wilson-Lindberg
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.