New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gist Liquid Tag causes SSL error when using jekyll serve or jekyll build #30

Closed
cdvillard opened this Issue Jan 28, 2016 · 14 comments

Comments

Projects
None yet
8 participants
@cdvillard

cdvillard commented Jan 28, 2016

I was directed here from Jekyll, but for the sake of clarity and saving a click, I've pasted the original text here.

I preface this with the fact that I'm not a Rubyist, and I'm just getting back on Windows, so I seem a little green, it's because I am.

I'm currently working on Windows 10, trying to build a site using the Poole theme, Jekyll 3.1.0 and Ruby ruby 2.2.3p173 x64. I seemed to keep running up against Liquid errors. I managed to fix a few common ones after installing jekyll-gist and jekyll-paginate, but then I hit this wall:

$ jekyll serve --trace
Configuration file: C:/Users/cdvillard/Projects/cvillard/new-site/poole/_config.yml
            Source: C:/Users/cdvillard/Projects/cvillard/new-site/poole
       Destination: C:/Users/cdvillard/Projects/cvillard/new-site/poole/_site
 Incremental build: disabled. Enable with --incremental
Generating...
Liquid Exception: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed in C:/Users/cdvillard/Projects/cvillard/new-site/poole/_posts/2014-01-01-example-content.md
C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
    from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:88:in `block in timeout'
    from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:98:in `call'
    from C:/Ruby22-x64/lib/ruby/2.2.0/timeout.rb:98:in `timeout'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:923:in `connect'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:852:in `start'
    from C:/Ruby22-x64/lib/ruby/2.2.0/net/http.rb:583:in `start'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-gist-1.4.0/lib/jekyll-gist/gist_tag.rb:79:in `fetch_raw_code'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-gist-1.4.0/lib/jekyll-gist/gist_tag.rb:56:in `gist_noscript_tag'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-gist-1.4.0/lib/jekyll-gist/gist_tag.rb:23:in `render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/block.rb:151:in `render_token'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/profiler/hooks.rb:5:in `block in render_token_with_profiling'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/profiler.rb:80:in `profile_token_render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/profiler/hooks.rb:4:in `render_token_with_profiling'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/block.rb:135:in `block in render_all'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/block.rb:122:in `each'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/block.rb:122:in `render_all'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/block.rb:108:in `render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/template.rb:210:in `block in render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/template.rb:262:in `with_profiling'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/template.rb:209:in `render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/liquid-3.0.6/lib/liquid/template.rb:222:in `render!'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/liquid_renderer/file.rb:28:in `block (2 levels) in render!'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/liquid_renderer/file.rb:36:in `measure_bytes'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/liquid_renderer/file.rb:27:in `block in render!'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/liquid_renderer/file.rb:43:in `measure_time'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/liquid_renderer/file.rb:26:in `render!'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/renderer.rb:106:in `render_liquid'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/renderer.rb:61:in `run'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:171:in `block (2 levels) in render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:169:in `each'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:169:in `block in render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:168:in `each'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:168:in `render'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/site.rb:59:in `process'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/command.rb:26:in `process_site'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/commands/build.rb:60:in `build'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/commands/build.rb:33:in `process'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/lib/jekyll/commands/serve.rb:34:in `block (2 levels) in init_with_program'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary/command.rb:220:in `call'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary/command.rb:220:in `block in execute'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary/command.rb:220:in `each'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary/command.rb:220:in `execute'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary/program.rb:42:in `go'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/mercenary-0.3.5/lib/mercenary.rb:19:in `program'
    from C:/Ruby22-x64/lib/ruby/gems/2.2.0/gems/jekyll-3.1.0/bin/jekyll:13:in `<top (required)>'
    from C:/Ruby22-x64/bin/jekyll:23:in `load'
    from C:/Ruby22-x64/bin/In the jekyll:23:in `<main>'

I haven't followed the trace just yet, but what I have done until this point is researched. I've tried several methods including Nichol's and Lavena's. I also know that if I remove the gist tag, it serves the site without complaint. Does anyone have ANY clue what could be causing this?

In the original issue, it was suggested that I enforce Net::HTTP#ssl_version to ':TLSv1_2'. I'm not sure how to.

@parkr

This comment has been minimized.

Show comment
Hide comment
@parkr

parkr Jan 28, 2016

Member

Original post: jekyll/jekyll#4413

This means that Ruby couldn't verify the certificate of gist.githubusercontent.com: certificate verify failed (OpenSSL::SSL::SSLError). Do you get this every time? Perhaps this was part of the outage yesterday.

SSLv3 is old, so TLSv1_2 would be better. If you google "ruby net http set ssl version", you could probably figure out how it's done. You'd likely modify the Net::HTTP.start call with some new option.

Member

parkr commented Jan 28, 2016

Original post: jekyll/jekyll#4413

This means that Ruby couldn't verify the certificate of gist.githubusercontent.com: certificate verify failed (OpenSSL::SSL::SSLError). Do you get this every time? Perhaps this was part of the outage yesterday.

SSLv3 is old, so TLSv1_2 would be better. If you google "ruby net http set ssl version", you could probably figure out how it's done. You'd likely modify the Net::HTTP.start call with some new option.

@parkr parkr added the bug label Jan 28, 2016

@cdvillard

This comment has been minimized.

Show comment
Hide comment
@cdvillard

cdvillard Jan 28, 2016

Thanks for the follow-up, @parkr. The outage as a cause would have been a legitimate theory, but this was occurring post-outage, at 2:00 AM EST. It still occurs, and only serves the site after removing the gist tag syntax from content. I'll make a fork and try modifying the Net::HTTP.start call next chance I get; I'm in class at the moment.

cdvillard commented Jan 28, 2016

Thanks for the follow-up, @parkr. The outage as a cause would have been a legitimate theory, but this was occurring post-outage, at 2:00 AM EST. It still occurs, and only serves the site after removing the gist tag syntax from content. I'll make a fork and try modifying the Net::HTTP.start call next chance I get; I'm in class at the moment.

@parkr

This comment has been minimized.

Show comment
Hide comment
@parkr

parkr Jan 29, 2016

Member

I'll make a fork and try modifying the Net::HTTP.start call next chance I get; I'm in class at the moment.

Sounds good.

Member

parkr commented Jan 29, 2016

I'll make a fork and try modifying the Net::HTTP.start call next chance I get; I'm in class at the moment.

Sounds good.

@cdvillard

This comment has been minimized.

Show comment
Hide comment
@cdvillard

cdvillard Feb 3, 2016

I finally got some time to sit down this today, but I'm having no luck figuring this out. Google has given me a few solutions that I'm sure can be implemented, but I'm unsure as to where to implement it in this case.

cdvillard commented Feb 3, 2016

I finally got some time to sit down this today, but I'm having no luck figuring this out. Google has given me a few solutions that I'm sure can be implemented, but I'm unsure as to where to implement it in this case.

@sethxd

This comment has been minimized.

Show comment
Hide comment
@sethxd

sethxd Mar 16, 2016

I'm having the same issue, any luck with a solution to this?

sethxd commented Mar 16, 2016

I'm having the same issue, any luck with a solution to this?

@parkr

This comment has been minimized.

Show comment
Hide comment
@parkr

parkr Mar 16, 2016

Member

@sethxd Did you try re-installing Ruby with an upgraded version of OpenSSL? It's possible the version you're both using is broken. This works fine for me.

Member

parkr commented Mar 16, 2016

@sethxd Did you try re-installing Ruby with an upgraded version of OpenSSL? It's possible the version you're both using is broken. This works fine for me.

@cdvillard

This comment has been minimized.

Show comment
Hide comment
@cdvillard

cdvillard Mar 16, 2016

I simply decided to avoid the issue until after I launched. I'll give your
suggestion a try when I next have a chance.

On Wed, Mar 16, 2016 at 4:59 PM, Parker Moore notifications@github.com
wrote:

@sethxd https://github.com/sethxd Did you try re-installing Ruby with
an upgraded version of OpenSSL? It's possible the version you're both using
is broken. This works fine for me.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#30 (comment)

cdvillard commented Mar 16, 2016

I simply decided to avoid the issue until after I launched. I'll give your
suggestion a try when I next have a chance.

On Wed, Mar 16, 2016 at 4:59 PM, Parker Moore notifications@github.com
wrote:

@sethxd https://github.com/sethxd Did you try re-installing Ruby with
an upgraded version of OpenSSL? It's possible the version you're both using
is broken. This works fine for me.


You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#30 (comment)

@spiffycoffee

This comment has been minimized.

Show comment
Hide comment
@spiffycoffee

spiffycoffee Mar 25, 2016

There's definitely a regression in the OpenSSL stdlib component in the ruby's installed by RubyInstaller for Windows, and unfortunately it doesn't look like there's an easy fix.

This is the version in question:

$ ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.1l 15 Jan 2015

(that's an 'L' after 1.0.1)

It seems that every version of 2.2.X, as well as 2.1.7 & 2.1.6 is using this version of OpenSSL. All of them have this issue. (My Vagrant box doesn't have this issue, it has 1.0.1f)

I also tried patching the Net::HTTP.start call to use TLSv1_2 as well as a few of the other options. But, it didn't have any effect. It would always try to connect through SSLv3. (I intentionally broke other things, I know my code was getting picked up :) )

Since the issue is probably with the stdlib OpenSSL, I don't know what our options are. Can we rebuild that library with new code or replace it with a gem or something? I'm also new to ruby. Any suggestions @parkr?

The alternatives I'm considering:

  1. Use RubyInstaller 2.1.5. It's an older version of ruby, and you will have to do the certificate fix mentioned here , but it works.
  2. Just use Vagrant
  3. Buying a Macbook (j/k, well maybe...)

spiffycoffee commented Mar 25, 2016

There's definitely a regression in the OpenSSL stdlib component in the ruby's installed by RubyInstaller for Windows, and unfortunately it doesn't look like there's an easy fix.

This is the version in question:

$ ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.1l 15 Jan 2015

(that's an 'L' after 1.0.1)

It seems that every version of 2.2.X, as well as 2.1.7 & 2.1.6 is using this version of OpenSSL. All of them have this issue. (My Vagrant box doesn't have this issue, it has 1.0.1f)

I also tried patching the Net::HTTP.start call to use TLSv1_2 as well as a few of the other options. But, it didn't have any effect. It would always try to connect through SSLv3. (I intentionally broke other things, I know my code was getting picked up :) )

Since the issue is probably with the stdlib OpenSSL, I don't know what our options are. Can we rebuild that library with new code or replace it with a gem or something? I'm also new to ruby. Any suggestions @parkr?

The alternatives I'm considering:

  1. Use RubyInstaller 2.1.5. It's an older version of ruby, and you will have to do the certificate fix mentioned here , but it works.
  2. Just use Vagrant
  3. Buying a Macbook (j/k, well maybe...)
@parkr

This comment has been minimized.

Show comment
Hide comment
@parkr

parkr Mar 25, 2016

Member

@spiffycoffee Nice sleuthing! 🔍 I'd recommend asking RubyInstaller to patch. If they release a new version with a later version of OpenSSL, then all would be fixed, no?

Member

parkr commented Mar 25, 2016

@spiffycoffee Nice sleuthing! 🔍 I'd recommend asking RubyInstaller to patch. If they release a new version with a later version of OpenSSL, then all would be fixed, no?

@spiffycoffee

This comment has been minimized.

Show comment
Hide comment
@spiffycoffee

spiffycoffee Mar 25, 2016

@parkr Duh, that would be obvious thing to do. Thanks! I will take it up with them.

spiffycoffee commented Mar 25, 2016

@parkr Duh, that would be obvious thing to do. Thanks! I will take it up with them.

@VirtuaCreative

This comment has been minimized.

Show comment
Hide comment
@VirtuaCreative

VirtuaCreative Mar 30, 2016

Same problem here!

VirtuaCreative commented Mar 30, 2016

Same problem here!

@jekyllbot

This comment has been minimized.

Show comment
Hide comment
@jekyllbot

jekyllbot Jun 6, 2016

Contributor

This issue has been automatically marked as stale because it has not been commented on for at least
three months.

The resources of the Jekyll team are limited, and so we are asking for your help.

If you can still reproduce this error on the

3.1-stable
or
master
branch,
please reply with all of the information you have about it in order to keep the issue open.

If this is a feature request, please consider building it first as a plugin. Jekyll 3 introduced
hooks which provide convenient access points throughout
the Jekyll build pipeline whereby most needs can be fulfilled. If this is something that cannot be
built as a plugin, then please provide more information about why in order to keep this issue open.

Thank you for all your contributions.

Contributor

jekyllbot commented Jun 6, 2016

This issue has been automatically marked as stale because it has not been commented on for at least
three months.

The resources of the Jekyll team are limited, and so we are asking for your help.

If you can still reproduce this error on the

3.1-stable
or
master
branch,
please reply with all of the information you have about it in order to keep the issue open.

If this is a feature request, please consider building it first as a plugin. Jekyll 3 introduced
hooks which provide convenient access points throughout
the Jekyll build pipeline whereby most needs can be fulfilled. If this is something that cannot be
built as a plugin, then please provide more information about why in order to keep this issue open.

Thank you for all your contributions.

@jekyllbot jekyllbot added the stale label Jun 6, 2016

@jekyllbot jekyllbot closed this Jul 6, 2016

@TWiStErRob

This comment has been minimized.

Show comment
Hide comment
@TWiStErRob

TWiStErRob Oct 23, 2016

Just downloaded the latest of everything and this still happens.

@parkr's #30 (comment) tip to modify gist_tag works, but only when disabled:

Net::HTTP.start(uri.host, uri.port,
    use_ssl: uri.scheme == 'https',
+   verify_mode: OpenSSL::SSL::VERIFY_NONE,,
+   #ssl_version: "TLSv1_2",
+   #ciphers: 'TLSv1.2:!aNULL:!eNULL',
+   #ssl_options: OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 | OpenSSL::SSL::OP_NO_COMPRESSION,
    read_timeout: 3, open_timeout: 3) do |http|

(the commented lines have no apparent effect even when enabled instaed of having NONE)

Finally only set SSL_CERT_FILE=...cacert.pem worked.

TWiStErRob commented Oct 23, 2016

Just downloaded the latest of everything and this still happens.

@parkr's #30 (comment) tip to modify gist_tag works, but only when disabled:

Net::HTTP.start(uri.host, uri.port,
    use_ssl: uri.scheme == 'https',
+   verify_mode: OpenSSL::SSL::VERIFY_NONE,,
+   #ssl_version: "TLSv1_2",
+   #ciphers: 'TLSv1.2:!aNULL:!eNULL',
+   #ssl_options: OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 | OpenSSL::SSL::OP_NO_COMPRESSION,
    read_timeout: 3, open_timeout: 3) do |http|

(the commented lines have no apparent effect even when enabled instaed of having NONE)

Finally only set SSL_CERT_FILE=...cacert.pem worked.

@jekyllbot jekyllbot removed the stale label Oct 23, 2016

@IanLee1521

This comment has been minimized.

Show comment
Hide comment
@IanLee1521

IanLee1521 Oct 27, 2016

Member

I also just started seeing this today. Was there another outage that might be effecting things?

$ bundle exec jekyll serve

Was working for me just a couple days ago in the same project when building locally. (jekyll 3.0.3)

Member

IanLee1521 commented Oct 27, 2016

I also just started seeing this today. Was there another outage that might be effecting things?

$ bundle exec jekyll serve

Was working for me just a couple days ago in the same project when building locally. (jekyll 3.0.3)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment