CPAN::Reporter fails to send through Metabase with new LWP 6
I tweeted something last night knowing full well that few people see my tweets and most of those that do aren't programmers. So I decided to post here in case anyone else experienced the same problem.
I installed the new LWP (v6) last night via cpan.
The next time I tried to install a module my cpan client barfed red errors (see below).
CPAN::Reporter was erroring when trying to send test results via Metabase.
I updated all SSL modules (cpan> upgrade /SSL/) and installed Mozilla::CA
as suggested in the LWP Changes
(and a tweet by miyagawa).
No luck.
I noticed something else in the LWP Changes file:
For https://... default to verified connections with require IO::Socket::SSL
and Mozilla::CA modules to be installed. Old behaviour can be requested by
setting the PERL_LWP_SSL_VERIFY_HOSTNAME environment variable to 0. The
LWP::UserAgent got new ssl_opts method to control this as well.
so I added this to my .bashrc and all is well again:
alias cpan='env PERL_LWP_SSL_VERIFY_HOSTNAME=0 cpan'
Not exactly a solution, but I'm ok with it for now.
(of course elsewhere in my .bashrc I have
alias sudo='sudo '
so that when I do sudo cpan it expands aliases.
So is this a module problem or is it a problem with cpantesters' certificate?
Here are the errors I saw in case anyone is interested (after installing LWP 6 I tried to reinstall the old 5.837 before I found a fix for the problem):
CPAN::Reporter: Test result is 'pass', All tests successful.
CPAN::Reporter: preparing a CPAN Testers report for libwww-perl-5.837
CPAN::Reporter: sending test report with 'pass' via Metabase
CPAN::Reporter: Test::Reporter: error from 'Test::Reporter::Transport::Metabase:'
fact submission failed: Can't connect to metabase.cpantesters.org:443 (certificate verify failed) at /usr/local/share/perl/5.10.1/Metabase/Client/Simple.pm line 111
Metabase::Client::Simple::submit_fact('Metabase::Client::Simple=HASH(0x94572a8)', 'CPAN::Testers::Report=HASH(0xa4d2778)') called at /usr/local/share/perl/5.10.1/Test/Reporter/Transport/Metabase.pm line 132
Test::Reporter::Transport::Metabase::send('Test::Reporter::Transport::Metabase=HASH(0xa332920)', 'Test::Reporter=HASH(0x9eb3ce8)') called at /usr/local/share/perl/5.10.1/Test/Reporter.pm line 279
eval {...} called at /usr/local/share/perl/5.10.1/Test/Reporter.pm line 279
Test::Reporter::send('Test::Reporter=HASH(0x9eb3ce8)') called at /usr/local/share/perl/5.10.1/CPAN/Reporter.pm line 503
CPAN::Reporter::_dispatch_report('HASH(0x9ec5c70)') called at /usr/local/share/perl/5.10.1/CPAN/Reporter.pm line 117
CPAN::Reporter::grade_test('CPAN::Distribution=HASH(0x9153068)', '/usr/bin/make test', 'ARRAY(0x9f08748)', 0) called at /usr/local/share/perl/5.10.1/CPAN/Reporter.pm line 223
CPAN::Reporter::test('CPAN::Distribution=HASH(0x9153068)', '/usr/bin/make test') called at /usr/local/share/perl/5.10.1/CPAN/Distribution.pm line 3242
CPAN::Distribution::test('CPAN::Distribution=HASH(0x9153068)') called at /usr/local/share/perl/5.10.1/CPAN/Distribution.pm line 3464
CPAN::Distribution::install('CPAN::Distribution=HASH(0x9153068)') called at /usr/local/share/perl/5.10.1/CPAN/Shell.pm line 1796
CPAN::Shell::rematein('CPAN::Shell', 'install', 'GAAS/libwww-perl-5.837.tar.gz') called at /usr/local/share/perl/5.10.1/CPAN/Shell.pm line 1976
CPAN::Shell::__ANON__('CPAN::Shell', 'GAAS/libwww-perl-5.837.tar.gz') called at /usr/local/share/perl/5.10.1/App/Cpan.pm line 459
App::Cpan::__ANON__('GAAS/libwww-perl-5.837.tar.gz') called at /usr/local/share/perl/5.10.1/App/Cpan.pm line 468
App::Cpan::_default('ARRAY(0x857d800)', 'HASH(0x8d68a58)') called at /usr/local/share/perl/5.10.1/App/Cpan.pm line 386
App::Cpan::run('App::Cpan', 'GAAS/libwww-perl-5.837.tar.gz') called at /usr/local/bin/cpan line 11
perl -C -E 'say"i \x{2764} ",($^X =~ m#([^/]+)$#)'
whoa... what is with the colors?
Oh boy, here we go with "security through pain-in-the-ass." To be super-safe, LWP should insist that all modules have permission 0600, have appropriate checksums, etc. Thanks for the warning.
This is because metabase.cpantesters.org was not issued by a CA in Mozilla::CA. It looks like it is self-signed to me. This is unfortunate, but I am very happy to see that libwww-perl is finally verifying SSL certificates by default; this brings it in line with standard web browser behavior.
Another alternative is to download the certificate for the site (pasting it into a file named cpantesters.pem should do) and then point LWP::UserAgent at it with one of the environment variables like PERLLWPSSLCAFILE. That will only work for that one site though. It's not as general as your solution.
You can save the certificate in chrome by exporting it. I imagine you can do the same with firefox.
My solution that I have in place on personal machines is to subclass Test::Reporter::Transport::Metabase and Metabase::Client::Simple to set the SSLcafile to be the X509 file with the certificate of metabase.cpantesters.org. I posted this hypothetical distribution has a gist at https://gist.github.com/867743 (I couldn't puts paths in the file names, so I added a MANIFEST file to the gist).
I forgot to mention in my post above that I also edited my ~/.cpanreporter/config.ini file's transport line to be:
transport = Metabase::CPANTesters id_file ~/.cpanreporter/dougdude.json
Since my subclasses specifically provide the metabase.cpantesters.org certificate, I felt I should make them default the uri to correspond.