`no-ssl-verify` for `grant-migrator-role` ?

[penguin02007]

Description

GHES 3.7.7 -> Github.com

I am trying to run grant-migrator-role but it is failing with the following error due to cert name mismatch on GHES.

There is no-ssl-verify option for migrate-repo and generate-script, should there be one for grant-migrator-role?

[06:49] [INFO] You are running the latest version of the gei CLI [v0.31]
[06:49] [INFO] Granting migrator role ...
[06:49] [INFO] GITHUB ORG: org1
[06:49] [INFO] ACTOR: actor1
[06:49] [INFO] ACTOR TYPE: USER
[06:49] [INFO] Actor type is valid...
[06:49] [INFO] GHES API URL: https://api.github.example.com
[06:49] [INFO] GITHUB PAT: ***
[06:49] [DEBUG] HTTP POST: https://api.github.example.com/graphql
[06:49] [DEBUG] HTTP BODY: {"query":"query($login: String!) {organization(login: $login) { login, id, name } }","variables":{"login":"org1"}}
[06:49] [DEBUG] Failed with HttpRequestException. Retrying...
[06:49] [DEBUG] HTTP POST: https://api.github.example.com/graphql
[06:49] [DEBUG] HTTP BODY: {"query":"query($login: String!) {organization(login: $login) { login, id, name } }","variables":{"login":"org1"}}
[06:49] [DEBUG] Failed with HttpRequestException. Retrying...
[06:50] [DEBUG] HTTP POST: https://api.github.example.com/graphql
[06:50] [DEBUG] HTTP BODY: {"query":"query($login: String!) {organization(login: $login) { login, id, name } }","variables":{"login":"org1"}}
[06:50] [DEBUG] Failed with HttpRequestException. Retrying...
[06:50] [DEBUG] HTTP POST: https://api.github.example.com/graphql
[06:50] [DEBUG] HTTP BODY: {"query":"query($login: String!) {organization(login: $login) { login, id, name } }","variables":{"login":"org1"}}
[06:50] [DEBUG] Failed with HttpRequestException. Retrying...
[06:50] [DEBUG] HTTP POST: https://api.github.example.com/graphql
[06:50] [DEBUG] HTTP BODY: {"query":"query($login: String!) {organization(login: $login) { login, id, name } }","variables":{"login":"org1"}}
[06:50] [DEBUG] Failed with HttpRequestException. Retrying...
[06:50] [DEBUG] HTTP POST: https://api.github.example.com/graphql
[06:50] [DEBUG] HTTP BODY: {"query":"query($login: String!) {organization(login: $login) { login, id, name } }","variables":{"login":"org1"}}
[06:50] [ERROR] OctoshiftCLI.OctoshiftCliException: Failed to lookup the Organization ID
 ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken , ExceptionDispatchInfo )
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions )
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter , Boolean , Byte[] , Boolean )
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions , HttpRequestMessage , Boolean , Stream , CancellationToken )
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions , HttpRequestMessage , Boolean , Stream , CancellationToken )
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage , Boolean , CancellationToken )
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage , Boolean , CancellationToken )
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage )
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken )
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage , Boolean , CancellationToken )
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage , Boolean , Boolean , CancellationToken )
   at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.SendAsync(HttpRequestMessage , CancellationToken )
   at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.SendAsync(HttpRequestMessage , CancellationToken )
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage , HttpCompletionOption , CancellationTokenSource , Boolean , CancellationTokenSource , CancellationToken )
   at OctoshiftCLI.GithubClient.SendAsync(HttpMethod httpMethod, String url, Object body, HttpStatusCode expectedStatus, Dictionary`2 customHeaders)
   at OctoshiftCLI.GithubClient.PostAsync(String url, Object body, Dictionary`2 customHeaders)
   at OctoshiftCLI.GithubApi.<>c__DisplayClass14_0.<<GetOrganizationId>b__0>d.MoveNext()
--- End of stack trace from previous location ---

Reproduction Steps

sudo gh gei grant-migrator-role \
--github-org org1  \
--actor actor1 \
--actor-type USER \
--github-target-pat 123 \
--ghes-api-url https://api.github.example.com \
--verbose

[timrogers]

@penguin02007 Thanks for reaching out! These seems like a very reasonable request.

We'll add it to our backlog - but you'd also be welcome to make a PR and contribute the change, if you wanted.

[penguin02007]

@timrogers ,

Sure. I was able to bypass and move forward with migrate-repo after logging in individually.

[bheemreddy181]

Seeing a similar issue , can some one help

[2023-05-31 23:43:04] [DEBUG] [HTTP ERROR ] System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken , ExceptionDispatchInfo )
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions )
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter , Boolean , Byte[] , Boolean )
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions , HttpRequestMessage , Boolean , Stream , CancellationToken )
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions , HttpRequestMessage , Boolean , Stream , CancellationToken )
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage , Boolean , CancellationToken )
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage , Boolean , CancellationToken )
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage )
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken )
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage , Boolean , CancellationToken )
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage , Boolean , Boolean , CancellationToken )
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage , Boolean , CancellationToken )
   at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.<SendAsync>g__Core|5_0(HttpRequestMessage , CancellationToken )
   at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.<SendAsync>g__Core|5_0(HttpRequestMessage , CancellationToken )
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage , HttpCompletionOption , CancellationTokenSource , Boolean , CancellationTokenSource , CancellationToken )
   at OctoshiftCLI.Services.GithubClient.SendAsync(HttpMethod httpMethod, String url, Object body, HttpStatusCode expectedStatus, Dictionary`2 customHeaders)
   at OctoshiftCLI.Services.GithubClient.PostAsync(String url, Object body, Dictionary`2 customHeaders)
   at OctoshiftCLI.Services.GithubClient.PostGraphQLAsync(String url, Object body, Dictionary`2 customHeaders)
   at OctoshiftCLI.Services.GithubApi.<>c__DisplayClass16_0.<<GetOrganizationId>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Polly.Retry.AsyncRetryEngine.ImplementationAsync[TResult](Func`3 action, Context context, CancellationToken cancellationToken, ExceptionPredicates shouldRetryExceptionPredicates, ResultPredicates`1 shouldRetryResultPredicates, Func`5 onRetryAsync, Int32 permittedRetryCount, IEnumerable`1 sleepDurationsEnumerable, Func`4 sleepDurationProvider, Boolean continueOnCapturedContext)
[2023-05-31 23:43:04] [DEBUG] Retrying...
[2023-05-31 23:43:08] [DEBUG] HTTP POST: https://api.github.com/graphql
[2023-05-31 23:43:08] [DEBUG] HTTP BODY: {"query":"query($login: String!) {organization(login: $login) { login, id, name } }","variables":{"login":"CuroFinTech"}}
[2023-05-31 23:43:13] [DEBUG] [HTTP ERROR ] System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch
   at System.Net.Security.SslStream.SendAuthResetSignal(ProtocolToken , ExceptionDispatchInfo )
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions )
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](TIOAdapter , Boolean , Byte[] , Boolean )
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions , HttpRequestMessage , Boolean , Stream , CancellationToken )
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions , HttpRequestMessage , Boolean , Stream , CancellationToken )
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage , Boolean , CancellationToken )
   at System.Net.Http.HttpConnectionPool.CreateHttp11ConnectionAsync(HttpRequestMessage , Boolean , CancellationToken )
   at System.Net.Http.HttpConnectionPool.AddHttp11ConnectionAsync(HttpRequestMessage )
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken )
   at System.Net.Http.HttpConnectionPool.GetHttp11ConnectionAsync(HttpRequestMessage , Boolean , CancellationToken )
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage , Boolean , Boolean , CancellationToken )
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage , Boolean , CancellationToken )
   at Microsoft.Extensions.Http.Logging.LoggingHttpMessageHandler.<SendAsync>g__Core|5_0(HttpRequestMessage , CancellationToken )
   at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.<SendAsync>g__Core|5_0(HttpRequestMessage , CancellationToken )
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage , HttpCompletionOption , CancellationTokenSource , Boolean , CancellationTokenSource , CancellationToken )
   at OctoshiftCLI.Services.GithubClient.SendAsync(HttpMethod httpMethod, String url, Object body, HttpStatusCode expectedStatus, Dictionary`2 customHeaders)
   at OctoshiftCLI.Services.GithubClient.PostAsync(String url, Object body, Dictionary`2 customHeaders)
   at OctoshiftCLI.Services.GithubClient.PostGraphQLAsync(String url, Object body, Dictionary`2 customHeaders)
   at OctoshiftCLI.Services.GithubApi.<>c__DisplayClass16_0.<<GetOrganizationId>b__0>d.MoveNext()
--- End of stack trace from previous location ---

[dylan-smith]

we are only adding --no-ssl-verify options for communication with GHES. Your error looks like it happened when communicating with github.com which should have SSL configured properly.

[timrogers]

@bheemreddy181 Did you manage to figure this out? My guess is that your machine is using a proxy and that's causing problems.