raulcd commented on issue #49757: URL: https://github.com/apache/arrow/issues/49757#issuecomment-4253736909
After a lot of investigation and trying to understand what is going on I've found a fix and what I understand to be the issue. The same exact wheel on `ubuntu-verify-rc` is successful and the test takes seconds. On `almalinux-verify-rc` it takes ~26 minutes. The wheel is the same one with the same bundled dependencies, the host OS for the docker containers is the same, the difference glibc, system dependencies and base image. If I run the verification on almalinux specifying `SSL_CERT_FILE`: > `[root@54b59d8e7749 /]# SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt /arrow/dev/release/verify-release-candidate.sh 24.0.0 0` The test is successful in seconds (same as Ubuntu). The manylinux wheel bundles OpenSSL 3.6.0. On AlmaLinux 8, `/etc/ssl/certs/` contains only bundle files: ``` # ls /etc/ssl/certs/ ca-bundle.crt ca-bundle.trust.crt ``` On Ubuntu there's a bunch of certs on the same path and weird hash files (more on that below). From what I've been reading Openssl is built with `OPENSSLDIR=/etc/ssl` but it seems OpenSSL tries to do a file search based on look up by the CA subject name hash value. From what I understand we are hitting this bug: https://bugzilla.redhat.com/show_bug.cgi?id=1053882 Which also from what I understand was never ported to RHEL 8 (only RHEL 9 / AlmaLinux 9). It seems that running: ``` p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose=server-auth /etc/ssl/certs/ ``` Also fixes the issue. @kou @pitrou any thoughts? Should we just run on the almalinux-verify-rc command? ``` p11-kit extract --format=pem-directory-hash --filter=ca-anchors --overwrite --purpose=server-auth /etc/ssl/certs/ ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
