Login error: upstream request timeout



when trying to login to codecov.io -using the GitHub authentification- I always get:

upstream request timeout

after a while in the browser window.
I’ve tried this with a completely different browser (freshly installed Firefox, so no stale cookies), and I got the same outcome.

I can’t browse efficiently the codecov reports of my opensource/public repositories (e.g. go-hep/hep, sbinet/npyio, …)

this is happening since a couple of months.

could this be looked at?


Commit SHAs



CI/CD or Build URL


Codecov Output


Expected Results

A correct login.

Actual Results

See above.

Additional Information


Hi @sbinet, we made a fix here, are you able to try again?


thanks for taking a look at this.
unfortunately, this didn’t cure the issue.

@sbinet, what if you go directly to https://codecov.io/gh ?

nope, still no luck…

(with and w/o enabling the private-repo scope)

(the only difference when disabling the private-repo scope was a final 404 for the favicon.png)

Hi @sbinet, we made a quick change here. Could you try again? If it still doesn’t work, I’m guessing maybe it’s a problem we’re having with GitHub. Would you be able to go to the Codecov installation and try logging into Codecov again? Note that you will have to re-grant permissions.


I revoked codecov from both my personal account and the organization account, then re-added it to both (sbinet and go-hep) with access to all repositories.

I did that twice (uninstall, re-install+re-grant), and tried with Chromium and Firefox.
still no cigar, unfortunately.

I tried to login with gitlab (and then defering to github for the authorization), that worked but of course none of my github projects were available.

@sbinet, I’m sorry this is happening to you. I can’t seem to find anything in our logs suggesting something fishy is going on. Just to confirm, you’re still seeing upstream request timeout and the network tab looks similar to the screenshot above? Does app.codecov.io/gh work at all?

yes, I am still seeing this error message, even when I browse to app.codecov.io/gh.

what if I try to install codecov by hand in github apps? (ie: providing the explicit oauth callback? which is it?)
or if I try with good’ol’ curl?

@sbinet, we are really stumped on our end why this is happening. The oauth token seems to be valid, and there’s no connection issue from our end.

Just to be extra clear, can you try deleting the cookies one more time and logging in. Can you login with the network tab open and screenshot your entire window once more? Maybe we can try to track down what’s happening or if there’s a GitHub connection issue.

here it is.

(I also just tried in an incognito window. same outcome)

@sbinet, I’ll look into our logs, but is there any extension or firewall that would be preventing login? Would you be able to open up the github?code=** and see what the headers and request body are?

as I said I could login with the bitbucket credentials, so it’s probably not an artefact (network or otherwise) from my end.

replaying the code=... request with curl, I get:

$>  curl -v 'https://codecov.io/login/github?code=<REDACTED>'   -H 'authority: codecov.io'   -H 'upgrade-insecure-requests: 1'   -H 'dnt: 1'   -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36'   -H 'accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9'   -H 'sec-fetch-site: cross-site'   -H 'sec-fetch-mode: navigate'   -H 'sec-fetch-user: ?1'   -H 'sec-fetch-dest: document'   -H 'referer: https://about.codecov.io/'   -H 'accept-language: en-US,en;q=0.9,de;q=0.8,fr;q=0.7'   --compressed

*   Trying
* Connected to codecov.io ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=codecov.io
*  start date: Nov  4 03:00:58 2020 GMT
*  expire date: Feb  2 03:00:58 2021 GMT
*  subjectAltName: host "codecov.io" matched cert's "codecov.io"
*  issuer: C=US; O=Google Trust Services; CN=GTS CA 1D2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x558ed07c3d80)
> GET /login/github?code=<REDACTED> HTTP/2
> Host: codecov.io
> accept-encoding: deflate, gzip, zstd
> authority: codecov.io
> upgrade-insecure-requests: 1
> dnt: 1
> user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
> accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
> sec-fetch-site: cross-site
> sec-fetch-mode: navigate
> sec-fetch-user: ?1
> sec-fetch-dest: document
> referer: https://about.codecov.io/
> accept-language: en-US,en;q=0.9,de;q=0.8,fr;q=0.7
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 500 
< server: envoy
< date: Wed, 16 Dec 2020 08:59:45 GMT
< content-type: application/json
< x-frame-options: SAMEORIGIN
< content-length: 31
< vary: Origin, Cookie
< x-envoy-upstream-service-time: 274
< via: 1.1 google
< alt-svc: clear
* Connection #0 to host codecov.io left intact
{"error": "Server Error (500)"}

@sbinet, apologies this got away from me due to the holidays. Are you able to reproduce one more time and give the code?