Installer broken - SSL Certificate for https://updates.awless.io expired 2 days ago

[HariSekhon]

Hi,

AWLess installer is broken due to SSL certificate expiry for the address https://updates.awless.io.

check_ssl_cert.pl --host updates.awless.io
CRITICAL: Certificate EXPIRED 2 days ago for 'updates.awless.io'. Expiry Date: 'Jan 18 12:00:00 2020 GMT'

(this program is from my github's nagios plugins repo, I used to use it to monitor all my production domains)

In the installer it fails here trying to get the latest version:

curl -s https://raw.githubusercontent.com/wallix/awless/master/getawless.sh  | bash -x                                
+set -e
++uname -m
+ARCH_UNAME=x86_64
+[[ x86_64 == \x\8\6\_\6\4 ]]
+ARCH=amd64
+EXT=tar.gz
+[[ linux-gnu == \l\i\n\u\x\-\g\n\u ]]
+OS=linux
++curl -fs https://updates.awless.io
++grep -oE 'v[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}'
+LATEST_VERSION=

because it is doing this:

curl -ivvfs https://updates.awless.io                                                                                 
* Rebuilt URL to: https://updates.awless.io/
* Hostname was NOT found in DNS cache
*   Trying 52.215.59.160...
* Connected to updates.awless.io (52.215.59.160) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: certificate has expired
* Closing connection 0

[karl-tpio]

Ha, Just came here to post this as well.

Temporary workaround is to download the script and add the --insecure flag to the curl call that fetches the version or set the LATEST_VERSION variable explicitly.

[HariSekhon]

Working around in person is easy enough, but this is breaking my CI builds and I don't want to put hacks in to the build code just for a temporary issue so am waiting for the SSL cert to get replaced.

[karl-tpio]

It looks like this (fantastic!) tool has been more or less abandoned. :(. I hope all is well with the author and that nothing more serious than burnout is behind the lack of updates.

I've removed awless from my the places that it was used, but figured that i should post back here to to provide a bit more robust "resolution" for anybody else that lands here. the --insecure flag is not an ideal way to do things; it's better to use a url that will stick around for a while...

You'll want to keep a copy of the installer script stored "offline" with the rest of your CI/CI/ Build pipelines.

replace

LATEST_VERSION=`curl -fs https://updates.awless.io | grep -oE "v[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}"`

with:

LATEST_VERSION=`curl -s https://api.github.com/repos/wallix/awless/releases/latest | grep -oP '"tag_name": "\K(.*)(?=")'`

Inspired by: https://gist.github.com/steinwaywhw/a4cd19cda655b8249d908261a62687f8#gistcomment-2632806

[jnankin]

came here to say this ^^

[simcap]

Unfortunately, awless has not had any support for a long time now (a few years) so the latest version you installed will be the latest.

Awless verify a new version of each run of a command silently. Although it does not spit out I think any errors if any issues while verifying an upgrade, you can still put the following config key upgrade.checkfrequency at 0 in your config and awless will not ping updates.awless.io

So long!

[simcap]

To be clearer, if the auto update breaks anything (CI, etc.) set the key upgrade.checkfrequency of the awless config to be 0, and it will not check anything automatically anymore.