{"id":234,"date":"2011-03-13T20:18:17","date_gmt":"2011-03-14T01:18:17","guid":{"rendered":"http:\/\/somethingdoug.com\/thoughts\/?p=234"},"modified":"2011-03-17T18:28:53","modified_gmt":"2011-03-17T23:28:53","slug":"cpanreporter-transportmetabase-and-libwww-lwp-6","status":"publish","type":"post","link":"https:\/\/somethingdoug.com\/thoughts\/2011\/03\/13\/cpanreporter-transportmetabase-and-libwww-lwp-6\/","title":{"rendered":"CPAN::Reporter, Transport::Metabase, and libwww-lwp 6"},"content":{"rendered":"<p>Recently <a href=\"http:\/\/search.cpan.org\/~gaas\/libwww-perl-6.00\/\">libwww-lwp-6.00<\/a> hit the CPAN with one major change in the default operating behavior: connecting using the https protocol would cause the certificate chain from the server to be verified that it was issued by a trusted certificate authority. In my opinion this behavior is a good thing, as this finally brings libwww-lwp in line with all the browsers.<\/p>\n<p>There were a few <a href=\"http:\/\/blogs.perl.org\/users\/randy_stauner\/2011\/03\/cpanreporter-fails-to-send-through-metabase-with-new-lwp-6.html\">blog<\/a> <a href=\"https:\/\/colinnewell.wordpress.com\/2011\/03\/11\/ssl-host-checking-and-lwpuseragent\/\">articles<\/a> where this change caught people by surprise in that submissions to the <a href=\"http:\/\/metabase.cpantesters.org\/\">CPAN Testers Metabase<\/a> failed (due to metabase.cpantesters.org using a self-signed certificate). Because metabase.cpantesters.org uses a self-signed certificate, simply installing <a href=\"http:\/\/search.cpan.org\/perldoc?Mozilla::CA\">Mozilla::CA<\/a>, which is a bundle of all the trusted CAs by Mozilla, will not correct the submissions failures (plus you have to install a few other modules). The typically error you will see once you have libwww-perl-6.00 install is as follows:<\/p>\n<pre>CPAN::Reporter: Test::Reporter: error from 'Test::Reporter::Transport::Metabase:'\r\nfact submission failed: Can't connect to metabase.cpantesters.org:443 (certificate verify failed) at C:\\strawberry\\perl\\site\\lib\/Metabase\/Client\/Simple.pm line 111<\/pre>\n<p>You may also see the following error if you do not have <a href=\"http:\/\/search.cpan.org\/perldoc?IO::Socket::SSL\">IO::Socket::SSL<\/a> installed:<\/p>\n<pre>CPAN::Reporter: Test::Reporter: error from 'Test::Reporter::Transport::Metabase:'\r\nfact submission failed: Can't connect to metabase.cpantesters.org:443 (Crypt-SSLeay can't verify hostnames) at C:\\strawberry\\perl\\site\\lib\/Metabase\/Client\/Simple.pm line 111<\/pre>\n<p>As a work-around for this problem (without just disabling certificate checking or other environment changes) I wrote two classes that subclass <a href=\"http:\/\/search.cpan.org\/perldoc?Metabase::Client::Simple\">Metabase::Client::Simple<\/a> and <a href=\"http:\/\/search.cpan.org\/perldoc?Test::Reporter::Transport::Metabase\">Test::Reporter::Transport::Metabase<\/a> that make them specific to submitting to the CPAN Testers Metabase and bundle the metabase.cpantesters.org certificate and check the certificate against the bundled one. Having a module where a certificate is bundled may or may not be what CPAN Testers Metabase wants, which is why I do not have any intentions on actually publishing this distribution. If you are interested in looking at it, you can view it as <a href=\"https:\/\/gist.github.com\/867743\">Github Gist 867743<\/a> (using the download button at the top results in the distribution tarball).<\/p>\n<p>The premise is to subclass the Metabase transport to set the uri to be the CPAN Testers Metabase URI by default and to set the client to my client subclass. The client subclass simply wraps the <a href=\"http:\/\/search.cpan.org\/perldoc?LWP::UserAgent\">LWP::UserAgent<\/a> generation method and sets the SSL option to verify the certificate with the bundled certificate. This accomplished by this excerpt:<\/p>\n<pre lang=\"perl\">around _ua =&gt; sub {\r\n    my $orig = shift;\r\n    my $self = shift;\r\n\r\n    my $ua_was_generated = !$self-&gt;{_ua};\r\n\r\n    # Get the standard generated UA\r\n    my $ua = $self-&gt;$orig(@_);\r\n\r\n    if ($ua_was_generated) {\r\n        # Add our SSL options to the UA\r\n        $ua-&gt;ssl_opts(SSL_ca_file =&gt; File::ShareDir::dist_file('Test-Reporter-Transport-Metabase-CPANTesters', 'metabase.cpantesters.org.crt'));\r\n    }\r\n\r\n    return $ua;\r\n};<\/pre>\n<p>If you are interested in using the module, you can download the tarball and run the commands outlined in <a href=\"https:\/\/gist.github.com\/867743#file_install\">INSTALL<\/a> and be sure to change your CPAN Reporter configuration as noted in <a href=\"https:\/\/gist.github.com\/867743#file_readme\">README<\/a> to actually use the new module. After you install it, you can simply set your CPAN Reporter configuration file to have:<\/p>\n<pre>transport = Metabase::CPANTesters id_file ~\/.cpanreporter\/metabase_id.json<\/pre>\n<p>A possible solution to this situation may be for the Test::Reporter::Transport::Metabase to have an option for SSL parameters like the certificate file and pass that parameter on to Metabase::Client::Simple for it to set in it&#8217;s LWP::UserAgent instance (or metabase.cpantesters.org could have a certificate signed by a CA trusted by Mozilla, though this solution may cost money for the certificate purchase).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Recently libwww-lwp-6.00 hit the CPAN with one major change in the default operating behavior: connecting using the https protocol would cause the certificate chain from the server to be verified that it was issued by a trusted certificate authority. In my opinion this behavior is a good thing, as this finally brings libwww-lwp in line [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[12,24,27,19],"class_list":["post-234","post","type-post","status-publish","format-standard","hentry","category-perl","tag-cpan","tag-metabase","tag-perl","tag-perl5"],"_links":{"self":[{"href":"https:\/\/somethingdoug.com\/thoughts\/wp-json\/wp\/v2\/posts\/234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/somethingdoug.com\/thoughts\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/somethingdoug.com\/thoughts\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/somethingdoug.com\/thoughts\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/somethingdoug.com\/thoughts\/wp-json\/wp\/v2\/comments?post=234"}],"version-history":[{"count":20,"href":"https:\/\/somethingdoug.com\/thoughts\/wp-json\/wp\/v2\/posts\/234\/revisions"}],"predecessor-version":[{"id":264,"href":"https:\/\/somethingdoug.com\/thoughts\/wp-json\/wp\/v2\/posts\/234\/revisions\/264"}],"wp:attachment":[{"href":"https:\/\/somethingdoug.com\/thoughts\/wp-json\/wp\/v2\/media?parent=234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/somethingdoug.com\/thoughts\/wp-json\/wp\/v2\/categories?post=234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/somethingdoug.com\/thoughts\/wp-json\/wp\/v2\/tags?post=234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}