A couple mornings ago I logged in to check the nightly web UI test runs. Every test pipeline failed after 20 seconds. Each job's log showed:

The tests run using bash version of Tosca Execution Client, available on their GitHub. The script has 4 separate usages of curl, and 2 of them make use of the --cacert flag.

That's a start, but why did this just happen out of nowhere after months of working? The day before I walked our intern through rebuilding the host of the test build agents, but how could a rebuild have caused this?

The tests are kicked off by a containerized self-hosted ADO agents. At build time, the containers

• Alpine Linux v3.19, released in late 2023, used curl 8.5.0.
• Alpine Linux v3.20.0, released about 15 days before I rebuilt, uses curl 8.8.0.

Curl 8.6.0 introduced PR 12620, titled "tool: make parser reject blank arguments if not supported", which introduces the same error text we see - "blank argument where content is expected".

The Tosca Execution Client shell script accepts --caCertificate as an argument, and assigns the value to $caCertificate. curl is fed the $caCertificat value by "curl --cacert "${caCertificate}". So, even if $caCertificate is blank, it still gets passed. As of curl 8.6.0, this is now invalid.

My proposed solution is simple. --caCertificate now sets $caCertificateSwitch, which is equal to "--cacert ${2}", with ${2} being the value of the arg. curl is now fed the arg like "curl $caCertificateSwitch", so if it's blank, nothing gets passed in.

Takeaways

• I need to finally start running a simple UI test as a periodic healthcheck
• Pinning versions could have technically kept this from happening but feels a little absurd