Certificate verify failed on GET #229
Description
We are having issues with certificate verification on calls to storage.yandexcloud.net when using the :net_http adapter. We are forced to use this adapter for other reasons in our implementation.
To reproduce:
require 'faraday'
Faraday.default_adapter = :net_http
Faraday.get "https://storage.yandexcloud.net"Things we've tried:
(1) Verified that our request works with VERIFY_NONE option
(2) Verified that the request works with Faraday.default_adapter set to :manticore (in an older Faraday version, which still supported :manticore)
(3) Tried to upgrade Bouncy Castle to 1.68 and tried to build jruby-openssl ourselves to possibly include updated root certificates shipped with BC
(4) Had no success with specifying the CA certificate bundle using options SSL_CERT_DIR / SSL_CERT_FILE
(5) Also happens with JRuby 9.2.16.0
Ubuntu vs. MacOS
We can SUCCESSFULLY issue the request with above code when running on MacOS. My machine (as well as our servers) are running Ubuntu.
Some details of the error might be hinted at, by using the doctor.rb script posted in this blog article:
https://mislav.net/2013/07/ruby-openssl/
https://github.com/mislav/ssl-tools/blob/master/doctor.rb
bundle exec ruby ./doctor.rb storage.yandexcloud.net
/home/mala/.rbenv/versions/jruby-9.2.14.0/bin/jruby (2.5.7)
JRuby-OpenSSL 0.10.5: /etc/ssl
SSL_CERT_DIR="/etc/ssl/certs"
SSL_CERT_FILE=""
HEAD https://storage.yandexcloud.net:443
opening connection to storage.yandexcloud.net:443...
opened
starting SSL for storage.yandexcloud.net:443...
Conn close because of connect error certificate verify failed
OpenSSL::SSL::SSLError: certificate verify failed
The server presented a certificate that could not be verified:
subject: /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
issuer: /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
error code 20: unable to get local issuer certificate