Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Certificate verify failed on GET #229

Closed
nonlandi opened this issue Mar 10, 2021 · 2 comments
Closed

Certificate verify failed on GET #229

nonlandi opened this issue Mar 10, 2021 · 2 comments
Labels
invalid

Comments

@nonlandi
Copy link

We are having issues with certificate verification on calls to storage.yandexcloud.net when using the :net_http adapter. We are forced to use this adapter for other reasons in our implementation.

To reproduce:

require 'faraday'

Faraday.default_adapter = :net_http
Faraday.get "https://storage.yandexcloud.net"

Things we've tried:
(1) Verified that our request works with VERIFY_NONE option
(2) Verified that the request works with Faraday.default_adapter set to :manticore (in an older Faraday version, which still supported :manticore)
(3) Tried to upgrade Bouncy Castle to 1.68 and tried to build jruby-openssl ourselves to possibly include updated root certificates shipped with BC
(4) Had no success with specifying the CA certificate bundle using options SSL_CERT_DIR / SSL_CERT_FILE
(5) Also happens with JRuby 9.2.16.0

Ubuntu vs. MacOS
We can SUCCESSFULLY issue the request with above code when running on MacOS. My machine (as well as our servers) are running Ubuntu.

Some details of the error might be hinted at, by using the doctor.rb script posted in this blog article:
https://mislav.net/2013/07/ruby-openssl/
https://github.com/mislav/ssl-tools/blob/master/doctor.rb

bundle exec ruby ./doctor.rb storage.yandexcloud.net
/home/mala/.rbenv/versions/jruby-9.2.14.0/bin/jruby (2.5.7)
JRuby-OpenSSL 0.10.5: /etc/ssl
SSL_CERT_DIR="/etc/ssl/certs"
SSL_CERT_FILE=""

HEAD https://storage.yandexcloud.net:443
opening connection to storage.yandexcloud.net:443...
opened
starting SSL for storage.yandexcloud.net:443...
Conn close because of connect error certificate verify failed
OpenSSL::SSL::SSLError: certificate verify failed

The server presented a certificate that could not be verified:
  subject: /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
  issuer: /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
  error code 20: unable to get local issuer certificate
@kares
Copy link
Member

kares commented Apr 10, 2021

We can SUCCESSFULLY issue the request with above code when running on MacOS.

This should confirm the issue is environment specific - usually the Java CA certificates are different on the host.
To fully understand what might be missing you should attempt to debug the certificate chain (e.g. using the -J-Djavax.net.debug=all system property).

@kares kares added the invalid label Apr 10, 2021
@kares
Copy link
Member

kares commented Oct 25, 2021

for the record here's JRuby 9.2.19.0 (w jruby-openssl 0.10.7) ruby -v doctor.rb storage.yandexcloud.net :

jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.6+10 on 11.0.6+10 +jit [linux-x86_64]
/opt/local/rvm/rubies/jruby-9.2.19.0/bin/jruby (2.5.8)
JRuby-OpenSSL 0.10.7: /etc/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""

HEAD https://storage.yandexcloud.net:443
OK

... yandexcloud might have changed the certificates in the mean time - that's why I was asking for debug output.

Also, please give this a go by updating jruby-openssl to (>=) 0.11.0 and if the issue persist share the outcome.

@kares kares closed this as completed Oct 25, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kares @nonlandi