travis.rb: SSL error: could not verify peer

➤ travis report                                                     ~/project 1
System
Ruby:                     Ruby 1.9.3-p194
Operating System:         Ubuntu 13.10
RubyGems:                 RubyGems 1.8.23

CLI
Version:                  1.6.3
Plugins:                  none
Auto-Completion:          yes
Last Version Check:       2013-11-27 16:22:08 +0100

Session
API Endpoint:             https://api.travis-ci.org/
Logged In:                no
Verify SSL:               yes
Enterprise:               no

Endpoints
org:                      https://api.travis-ci.org/ (current)

Last Exception
An error occurred running `travis setup`:
    Travis::Client::Error: SSL error: could not verify peer
        from /var/lib/gems/1.9.1/gems/travis-1.6.3/lib/travis/client/session.rb:190:in `raw'
        from /var/lib/gems/1.9.1/gems/travis-1.6.3/lib/travis/client/session.rb:164:in `get_raw'
        from /var/lib/gems/1.9.1/gems/travis-1.6.3/lib/travis/client/session.rb:130:in `config'
        from /var/lib/gems/1.9.1/gems/travis-1.6.3/lib/travis/cli/api_command.rb:122:in `load_gh'
        from /var/lib/gems/1.9.1/gems/travis-1.6.3/lib/travis/cli/repo_command.rb:76:in `detect_api_endpoint'
        from /var/lib/gems/1.9.1/gems/travis-1.6.3/lib/travis/cli/repo_command.rb:19:in `setup'
        from /var/lib/gems/1.9.1/gems/travis-1.6.3/lib/travis/cli/command.rb:166:in `execute'
        from /var/lib/gems/1.9.1/gems/travis-1.6.3/lib/travis/cli.rb:58:in `run'
        from /var/lib/gems/1.9.1/gems/travis-1.6.3/bin/travis:19:in `<top (required)>'
        from /usr/local/bin/travis:23:in `load'
        from /usr/local/bin/travis:23:in `<main>'


For issues with the command line tool, please visit https://github.com/travis-ci/travis/issues.
For Travis CI in general, go to https://github.com/travis-ci/travis-ci/issues or email support@travis-ci.com.

Same goes for travis login

About this issue

  • Original URL
  • State: closed
  • Created 11 years ago
  • Reactions: 2
  • Comments: 56 (15 by maintainers)

Most upvoted comments

Works using --adapter net-http option. travis encrypt "FOO=6\\&a\\(5\\!1Ab\\\\" --adapter net-http

+9
dnadeau4 on Jan 16, 2017

I managed to make travis encrypt work by changing the ruby library used to connect to the API:

travis encrypt "user:t0K3n" --add notifications.slack --adapter net-http
+3
dzen on May 30, 2016
  • I can not reproduce this error when using default endpoint (https://api.travis-ci.org) and faraday adapter typhoeus.
  • I can reproduce this against Travis CI enterprise with faraday adapter typhoeus:

What happened

all travis commands against my travis ci enterprise failed with error message SSL error: could not verify peer when using option --no-insecure.

$ bin/travis report -X --no-insecure --debug --debug-http --adapter typhoeus
** Loading "/Users/shawnzhu/.travis/config.yml"
System
Ruby:                     Ruby 2.4.0-p0
Operating System:         Mac OS X 10.12.4
RubyGems:                 RubyGems 2.6.8

CLI
Version:                  1.8.8
Plugins:                  "travis-build"
Auto-Completion:          yes
Last Version Check:       2017-03-09 16:43:12 -0500

Session
API Endpoint:             https://<travis-ci-enterprise>/api
** GET "users/"
I, [2017-03-09T16:43:18.661925 #57760]  INFO -- : get https://<travis-ci-enterprise>/api/users/
D, [2017-03-09T16:43:18.661989 #57760] DEBUG -- request: User-Agent: "Travis/1.8.8 (Mac OS X 10.12.4 like Darwin; Ruby 2.4.0-p0; RubyGems 2.6.8; command report) Faraday/0.11.0 Typhoeus/0.8.0"
Accept: "application/vnd.travis-ci.2+json"
Authorization: "token <this-is-not-a-valid-token>"
I, [2017-03-09T16:43:18.750319 #57760]  INFO -- Status: 0
D, [2017-03-09T16:43:18.750538 #57760] DEBUG -- response: 
**   took 0.089 seconds
Logged In:                SSL error: could not verify peer
Verify SSL:               yes
Enterprise:               yes

Endpoints
enterprise "default":     https://<travis-ci-enterprise>/api (access token, current)
org:                      https://api.travis-ci.org/ ()

For issues with the command line tool, please visit https://github.com/travis-ci/travis.rb/issues.
For Travis CI in general, go to https://github.com/travis-ci/travis-ci/issues or email support@travis-ci.com.
** Storing "/Users/shawnzhu/.travis/config.yml"

It works when using arg --adapter net-http.

Problem

The actual difference at SSL/TLS layer when using different faraday adapter is the SSL options. When using default adapter (i.e., typhoeus), it explicitly specified CA certs in travis CLI code: https://github.com/travis-ci/travis.rb/blob/c90b1434643c0b63209c7f5f03a749ff445c1501/lib/travis/client/session.rb#L20 while my travis ci enterprise uses cert issued not by the 3 CAs in /assets/cacerts.pem which will fail all API requests sent by Travis CI CLI.

Proposal

Empty SSL_OPTIONS when using default faraday adapter. It won’t make it less secure but consistent with that in adapter net-http (which is default adapter on Windows platforms)

If that’s ok, I’m happy to create a PR.

+2
shawnzhu on Mar 9, 2017

gem install travis --pre should fix the issue

+1
rkh on Sep 12, 2014
Read more comments on GitHub
← travis.rb: sshkey upload fails with odd error message
travis.rb: travis lint fails with intermittent "invalid access token" errors →