bst-artifact-server misconfigured options

Summary

bst-artifact-server provides inconsistent errors based on the options provided.

I was trying to start a new push/pull server, I was under the impression that a push/pull server could be configured for users without and with push certificates.

However providing these arguments:

bst-artifact-server --port 1102 --server-key /etc/dehydrated/certs/cache.alvarezpiedehierro.com/server.key --server-cert /etc/dehydrated/certs/cache.alvarezpiedehierro.com/server.crt --client-certs /etc/dehydrated/certs/cache.alvarezpiedehierro.com/authorized.crt --enable-push /mnt/volume_ams3_01/repos/artifacts

Resulted in:

E0819 17:03:21.349444618    9095 ssl_transport_security.cc:1237] Handshake failed with fatal error SSL_ERROR_SSL: error:100000c0:SSL routines:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE.

Which made me think my SSL certificates were invalid.

I then tried to disable pushing and just use port 1101:

bst-artifact-server --port 1101 --server-key /etc/dehydrated/certs/cache.alvarezpiedehierro.com/server.key --server-cert /etc/dehydrated/certs/cache.alvarezpiedehierro.com/server.crt --client-certs /etc/dehydrated/certs/cache.alvarezpiedehierro.com/authorized.crt /mnt/volume_ams3_01/repos/artifacts

This also reported:

E0819 17:03:21.349444618    9095 ssl_transport_security.cc:1237] Handshake failed with fatal error SSL_ERROR_SSL: error:100000c0:SSL routines:OPENSSL_internal:PEER_DID_NOT_RETURN_A_CERTIFICATE.

After speaking with @tlater on IRC, he stated that error seems most likely due to the bst client not returning the push certificate the bst-artifact-server was expecting, which confused me as i had disables --enable-push ?

I then realised even though i had disabled push i was still passing --client-certs, which seems to still enable the server as a push/pull configuration?

I know this is a stupid error, however i did not realise you needed separate instances for push/pull.

Steps to reproduce

bst-artifact-server --port 1101 --server-key /etc/dehydrated/certs/cache.alvarezpiedehierro.com/server.key --server-cert /etc/dehydrated/certs/cache.alvarezpiedehierro.com/server.crt --client-certs /etc/dehydrated/certs/cache.alvarezpiedehierro.com/authorized.crt /mnt/volume_ams3_01/repos/artifacts

This should not create a push/pull server

What is the current bug behavior?

When the server is started without --enable-push but WITH --client-certs the server incorrectly starts as a push/pull server.

What is the expected correct behavior?

The should either start in a default pull server mode, or warn the users they are passing client certs to a server that isn't configured for pushing.

Relevant logs and/or screenshots

Possible fixes

Other relevant information

  • BuildStream version affected: /milestone %BuildStream_v1.x