Skip to content

MINOR: Fix SSL certificate verification failure in system test worker provisioning #21431

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tirthooo7 wants to merge 3 commits into
base: trunk
Choose a base branch
from
Open

MINOR: Fix SSL certificate verification failure in system test worker provisioning #21431

tirthooo7 wants to merge 3 commits into from
+2 −1

Conversation

@tirthooo7
Copy link
Contributor

@tirthooo7 tirthooo7 commented Feb 9, 2026
edited by github-actions bot
Loading

Description

Summary

Update CA certificates on Ubuntu 14.04 Vagrant workers to fix SSL
certificate verification failures when cloning the kibosh repository
during system test setup.

Problem

Starting around February 7-9, 2026, system tests using Vagrant workers
began failing during worker provisioning with the following error:

fatal: unable to access 'https://github.com/confluentinc/kibosh.git/':
server certificate verification failed. CAfile:
/etc/ssl/certs/ca-certificates.crt CRLfile: none

Root Cause: The Vagrant workers use Ubuntu 14.04 (Trusty), which
reached
end-of-life in April 2019. The CA certificate bundle on these workers is
outdated
and does not include the certificate authorities needed to verify
GitHub's current
SSL certificate chain. GitHub (or their CA provider) rotated
certificates, causing
the verification to fail on systems with older CA bundles.

Key observations:

Solution

Refresh the CA certificate store during worker provisioning by:

  1. Installing/updating the ca-certificates package
  2. Running update-ca-certificates --fresh to rebuild the certificate
    store

This ensures workers have an updated certificate store that can verify
GitHub's SSL certificate chain.

Changes

File: vagrant/base.sh

Before:

apt-get update -y && apt-get install -y git cmake pkg-config libfuse-dev

After:

apt-get update -y && apt-get install -y git cmake pkg-config libfuse-dev
ca-certificates
update-ca-certificates --fresh

Testing

System-test-Kafka-Branch-Builder - 21/21 tests passed

  • Test:
    tests/kafkatest/tests/client/client_compatibility_produce_consume_test.py
  • Report: Test
    Results

Notes

  • This fix adds minimal code change.
  • Long-term, upgrading the worker AMI from Ubuntu 14.04 to a supported
    LTS version
    (e.g., Ubuntu 22.04) would eliminate this class of issues permanently
  • The ca-certificates package in Ubuntu 14.04 repos is dated 2017, but
    running
    update-ca-certificates --fresh rebuilds the store with all available
    certificates

@github-actions github-actions bot added triage PRs from the community tools small Small PRs labels Feb 9, 2026
@tirthooo7 tirthooo7 marked this pull request as ready for review February 9, 2026 12:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@omkreddy omkreddy omkreddy approved these changes

Assignees

No one assigned

Labels

small Small PRs tools triage PRs from the community

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tirthooo7 @omkreddy