You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm currently using bb-clientd with some short-lived certificates and it seems as if the logic to refresh them isn't working correctly. So far, I've worked around this by making bb-clientd restart whenever the certificate files change, but it would be nice to have the built-in refresh support work properly.
I'm configuring bb-clientd with something like this:
The TLS settings given to Bazel match exactly those given to bb-clientd above.
Here is the sequence of events to reproduce the issue:
Get new certificates.
Start bb-clientd.
Run a Bazel build and see it succeed.
Wait for certificate expiration.
Run the build again, which fails with:
ERROR: Failed to query remote execution capabilities: UNAUTHENTICATED: Cannot validate TLS client certificate: x509: certificate has expired or is not yet valid: current time 2023-02-13T17:11:02Z is after 2023-02-13T17:06:10Z
Refresh certificate.
Run the build again right after, which fails with:
ERROR: Failed to query remote execution capabilities: UNAUTHENTICATED: Cannot validate TLS client certificate: x509: certificate has expired or is not yet valid: current time 2023-02-13T17:11:02Z is after 2023-02-13T17:06:10Z
Wait for the refresh interval configured in bb-clientd:
Run the build again, which fails with a different message:
ERROR: Failed to query remote execution capabilities: UNAUTHENTICATED: Backend "": Backend "prod": Cannot validate TLS client certificate: x509: certificate has expired or is not yet valid: current time 2023-02-13T17:11:22Z is after 2023-02-13T17:06:10Z
At this point there is no way to get the build to work.
Restart bb-clientd (NOT Bazel).
Build succeeds again.
The text was updated successfully, but these errors were encountered:
Hey @jmmv good callout, currently gRPC Client connections have broken certificate rotation. I just documented the issue here, buildbarn/bb-storage#162. I am actively tracking this issue, and would like to resolve the issue once we gain proper support in grpc-go.
I'm currently using bb-clientd with some short-lived certificates and it seems as if the logic to refresh them isn't working correctly. So far, I've worked around this by making bb-clientd restart whenever the certificate files change, but it would be nice to have the built-in refresh support work properly.
I'm configuring bb-clientd with something like this:
And I run Bazel builds with these flags (which means I'm using your patch to use bb-clientd for the output tree):
--remote_executor=unix:/home/jmmv/.cache/bb_clientd/grpc
--remote_instance_name=prod/experiment
--remote_output_service=unix:/home/jmmv/.cache/bb_clientd/grpc
--remote_output_service_output_path_prefix=/home/jmmv/bb_clientd/outputs
--tls_certificate=/path/to/file
--tls_client_certificate=/path/to/file
--tls_client_key=/path/to/file
The TLS settings given to Bazel match exactly those given to bb-clientd above.
Here is the sequence of events to reproduce the issue:
ERROR: Failed to query remote execution capabilities: UNAUTHENTICATED: Cannot validate TLS client certificate: x509: certificate has expired or is not yet valid: current time 2023-02-13T17:11:02Z is after 2023-02-13T17:06:10Z
ERROR: Failed to query remote execution capabilities: UNAUTHENTICATED: Cannot validate TLS client certificate: x509: certificate has expired or is not yet valid: current time 2023-02-13T17:11:02Z is after 2023-02-13T17:06:10Z
ERROR: Failed to query remote execution capabilities: UNAUTHENTICATED: Backend "": Backend "prod": Cannot validate TLS client certificate: x509: certificate has expired or is not yet valid: current time 2023-02-13T17:11:22Z is after 2023-02-13T17:06:10Z
The text was updated successfully, but these errors were encountered: