CPAN::Reporter fails to send through Metabase with new LWP 6

I tweeted something last night knowing full well that few people see my tweets and most of those that do aren't programmers. So I decided to post here in case anyone else experienced the same problem.

I installed the new LWP (v6) last night via cpan.

The next time I tried to install a module my cpan client barfed red errors (see below). CPAN::Reporter was erroring when trying to send test results via Metabase.

I updated all SSL modules (cpan> upgrade /SSL/) and installed Mozilla::CA as suggested in the LWP Changes (and a tweet by miyagawa).

No luck.

I noticed something else in the LWP Changes file:

For https://... default to verified connections with require IO::Socket::SSL
and Mozilla::CA modules to be installed.  Old behaviour can be requested by
setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0.  The
LWP::UserAgent got new ssl_opts method to control this as well.

so I added this to my .bashrc and all is well again:

alias cpan='env PERL_LWP_SSL_VERIFY_HOSTNAME=0 cpan'

Not exactly a solution, but I'm ok with it for now.

(of course elsewhere in my .bashrc I have

alias sudo='sudo '

so that when I do sudo cpan it expands aliases.

So is this a module problem or is it a problem with cpantesters' certificate?

Here are the errors I saw in case anyone is interested (after installing LWP 6 I tried to reinstall the old 5.837 before I found a fix for the problem):

CPAN::Reporter: Test result is 'pass', All tests successful.
CPAN::Reporter: preparing a CPAN Testers report for libwww-perl-5.837
CPAN::Reporter: sending test report with 'pass' via Metabase
CPAN::Reporter: Test::Reporter: error from 'Test::Reporter::Transport::Metabase:'
fact submission failed: Can't connect to (certificate verify failed) at /usr/local/share/perl/5.10.1/Metabase/Client/ line 111
        Metabase::Client::Simple::submit_fact('Metabase::Client::Simple=HASH(0x94572a8)', 'CPAN::Testers::Report=HASH(0xa4d2778)') called at /usr/local/share/perl/5.10.1/Test/Reporter/Transport/ line 132
        Test::Reporter::Transport::Metabase::send('Test::Reporter::Transport::Metabase=HASH(0xa332920)', 'Test::Reporter=HASH(0x9eb3ce8)') called at /usr/local/share/perl/5.10.1/Test/ line 279
        eval {...} called at /usr/local/share/perl/5.10.1/Test/ line 279
        Test::Reporter::send('Test::Reporter=HASH(0x9eb3ce8)') called at /usr/local/share/perl/5.10.1/CPAN/ line 503
        CPAN::Reporter::_dispatch_report('HASH(0x9ec5c70)') called at /usr/local/share/perl/5.10.1/CPAN/ line 117
        CPAN::Reporter::grade_test('CPAN::Distribution=HASH(0x9153068)', '/usr/bin/make test', 'ARRAY(0x9f08748)', 0) called at /usr/local/share/perl/5.10.1/CPAN/ line 223
        CPAN::Reporter::test('CPAN::Distribution=HASH(0x9153068)', '/usr/bin/make test') called at /usr/local/share/perl/5.10.1/CPAN/ line 3242
        CPAN::Distribution::test('CPAN::Distribution=HASH(0x9153068)') called at /usr/local/share/perl/5.10.1/CPAN/ line 3464
        CPAN::Distribution::install('CPAN::Distribution=HASH(0x9153068)') called at /usr/local/share/perl/5.10.1/CPAN/ line 1796
        CPAN::Shell::rematein('CPAN::Shell', 'install', 'GAAS/libwww-perl-5.837.tar.gz') called at /usr/local/share/perl/5.10.1/CPAN/ line 1976
        CPAN::Shell::__ANON__('CPAN::Shell', 'GAAS/libwww-perl-5.837.tar.gz') called at /usr/local/share/perl/5.10.1/App/ line 459
        App::Cpan::__ANON__('GAAS/libwww-perl-5.837.tar.gz') called at /usr/local/share/perl/5.10.1/App/ line 468
        App::Cpan::_default('ARRAY(0x857d800)', 'HASH(0x8d68a58)') called at /usr/local/share/perl/5.10.1/App/ line 386
        App::Cpan::run('App::Cpan', 'GAAS/libwww-perl-5.837.tar.gz') called at /usr/local/bin/cpan line 11


Oh boy, here we go with "security through pain-in-the-ass." To be super-safe, LWP should insist that all modules have permission 0600, have appropriate checksums, etc. Thanks for the warning.

This is because was not issued by a CA in Mozilla::CA. It looks like it is self-signed to me. This is unfortunate, but I am very happy to see that libwww-perl is finally verifying SSL certificates by default; this brings it in line with standard web browser behavior.

Another alternative is to download the certificate for the site (pasting it into a file named cpantesters.pem should do) and then point LWP::UserAgent at it with one of the environment variables like PERLLWPSSLCAFILE. That will only work for that one site though. It's not as general as your solution.

You can save the certificate in chrome by exporting it. I imagine you can do the same with firefox.

My solution that I have in place on personal machines is to subclass Test::Reporter::Transport::Metabase and Metabase::Client::Simple to set the SSLcafile to be the X509 file with the certificate of I posted this hypothetical distribution has a gist at (I couldn't puts paths in the file names, so I added a MANIFEST file to the gist).

I forgot to mention in my post above that I also edited my ~/.cpanreporter/config.ini file's transport line to be:

transport = Metabase::CPANTesters id_file ~/.cpanreporter/dougdude.json

Since my subclasses specifically provide the certificate, I felt I should make them default the uri to correspond.

Leave a comment

About Randy Stauner

user-pic perl -C -E 'say"i \x{2764} ",($^X =~ m#([^/]+)$#)'