You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are having issues with certificate verification on calls to storage.yandexcloud.net when using the :net_http adapter. We are forced to use this adapter for other reasons in our implementation.
Things we've tried:
(1) Verified that our request works with VERIFY_NONE option
(2) Verified that the request works with Faraday.default_adapter set to :manticore (in an older Faraday version, which still supported :manticore)
(3) Tried to upgrade Bouncy Castle to 1.68 and tried to build jruby-openssl ourselves to possibly include updated root certificates shipped with BC
(4) Had no success with specifying the CA certificate bundle using options SSL_CERT_DIR / SSL_CERT_FILE
(5) Also happens with JRuby 9.2.16.0
Ubuntu vs. MacOS
We can SUCCESSFULLY issue the request with above code when running on MacOS. My machine (as well as our servers) are running Ubuntu.
bundle exec ruby ./doctor.rb storage.yandexcloud.net
/home/mala/.rbenv/versions/jruby-9.2.14.0/bin/jruby (2.5.7)
JRuby-OpenSSL 0.10.5: /etc/ssl
SSL_CERT_DIR="/etc/ssl/certs"
SSL_CERT_FILE=""
HEAD https://storage.yandexcloud.net:443
opening connection to storage.yandexcloud.net:443...
opened
starting SSL for storage.yandexcloud.net:443...
Conn close because of connect error certificate verify failed
OpenSSL::SSL::SSLError: certificate verify failed
The server presented a certificate that could not be verified:
subject: /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
issuer: /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
error code 20: unable to get local issuer certificate
The text was updated successfully, but these errors were encountered:
We can SUCCESSFULLY issue the request with above code when running on MacOS.
This should confirm the issue is environment specific - usually the Java CA certificates are different on the host.
To fully understand what might be missing you should attempt to debug the certificate chain (e.g. using the -J-Djavax.net.debug=all system property).
for the record here's JRuby 9.2.19.0 (w jruby-openssl 0.10.7) ruby -v doctor.rb storage.yandexcloud.net :
jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.6+10 on 11.0.6+10 +jit [linux-x86_64]
/opt/local/rvm/rubies/jruby-9.2.19.0/bin/jruby (2.5.8)
JRuby-OpenSSL 0.10.7: /etc/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""
HEAD https://storage.yandexcloud.net:443
OK
... yandexcloud might have changed the certificates in the mean time - that's why I was asking for debug output.
Also, please give this a go by updating jruby-openssl to (>=) 0.11.0 and if the issue persist share the outcome.
We are having issues with certificate verification on calls to storage.yandexcloud.net when using the :net_http adapter. We are forced to use this adapter for other reasons in our implementation.
To reproduce:
Things we've tried:
(1) Verified that our request works with VERIFY_NONE option
(2) Verified that the request works with Faraday.default_adapter set to :manticore (in an older Faraday version, which still supported :manticore)
(3) Tried to upgrade Bouncy Castle to 1.68 and tried to build jruby-openssl ourselves to possibly include updated root certificates shipped with BC
(4) Had no success with specifying the CA certificate bundle using options SSL_CERT_DIR / SSL_CERT_FILE
(5) Also happens with JRuby 9.2.16.0
Ubuntu vs. MacOS
We can SUCCESSFULLY issue the request with above code when running on MacOS. My machine (as well as our servers) are running Ubuntu.
Some details of the error might be hinted at, by using the doctor.rb script posted in this blog article:
https://mislav.net/2013/07/ruby-openssl/
https://github.com/mislav/ssl-tools/blob/master/doctor.rb
The text was updated successfully, but these errors were encountered: