Open SSL Error: "Duplicate extensions not allowed"

[jontonsoup]

System Info:
java version "1.6.0_51"

jruby 1.7.4 (1.9.3p392) 2013-05-16 2390d3b on Java HotSpot(TM) 64-Bit Server VM 1.6.0_51-b11-457-11M4509 [darwin-x86_64]

OpenSSL: openssl-1.0.1e

Steps to reproduce: jruby -e "require 'openssl'"

Result:

OpenSSL::X509::StoreError: setting default path failed: problem creating X509 Aux certificate: java.io.IOException: problem parsing cert: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
  set_default_paths at org/jruby/ext/openssl/X509Store.java:162
         SSLContext at /Users/Jonathan/.rvm/gems/jruby-1.7.4@global/gems/jruby-openssl-0.9.0/lib/1.9/openssl/ssl-internal.rb:31
                SSL at /Users/Jonathan/.rvm/gems/jruby-1.7.4@global/gems/jruby-openssl-0.9.0/lib/1.9/openssl/ssl-internal.rb:22
            OpenSSL at /Users/Jonathan/.rvm/gems/jruby-1.7.4@global/gems/jruby-openssl-0.9.0/lib/1.9/openssl/ssl-internal.rb:21
             (root) at /Users/Jonathan/.rvm/gems/jruby-1.7.4@global/gems/jruby-openssl-0.9.0/lib/1.9/openssl/ssl-internal.rb:20
            require at org/jruby/RubyKernel.java:1054
             (root) at /Users/Jonathan/.rvm/rubies/jruby-1.7.4/lib/ruby/shared/rubygems/custom_require.rb:1
            require at /Users/Jonathan/.rvm/rubies/jruby-1.7.4/lib/ruby/shared/rubygems/custom_require.rb:36
               load at org/jruby/RubyKernel.java:1073
             (root) at /Users/Jonathan/.rvm/gems/jruby-1.7.4@global/gems/jruby-openssl-0.9.0/lib/1.9/openssl.rb:21
            require at org/jruby/RubyKernel.java:1054
             (root) at /Users/Jonathan/.rvm/gems/jruby-1.7.4@global/gems/jruby-openssl-0.9.0/lib/shared/jruby-openssl.rb:1
             (root) at /Users/Jonathan/.rvm/gems/jruby-1.7.4@global/gems/jruby-openssl-0.9.0/lib/shared/jruby-openssl.rb:20
            require at org/jruby/RubyKernel.java:1054
             (root) at /Users/Jonathan/.rvm/rubies/jruby-1.7.4/lib/ruby/shared/rubygems/custom_require.rb:1
             (root) at -e:1

[BanzaiMan]

I can't reproduce this on my machine (with RVM).

irb(main):001:0> RUBY_DESCRIPTION
=> "jruby 1.7.4 (1.9.3p392) 2013-05-16 2390d3b on Java HotSpot(TM) 64-Bit Server VM 1.6.0_51-b11-457-11M4509 [darwin-x86_64]"
irb(main):002:0> require 'openssl'
=> true

[jontonsoup]

Yea… I'm having trouble figuring out how to even isolate this. Any ideas on how I can give more information?

On Sep 30, 2013, at 9:31 PM, Hiro Asari notifications@github.com wrote:

I can't reproduce this on my machine (with RVM).

irb(main):001:0> RUBY_DESCRIPTION
=> "jruby 1.7.4 (1.9.3p392) 2013-05-16 2390d3b on Java HotSpot(TM) 64-Bit Server VM 1.6.0_51-b11-457-11M4509 [darwin-x86_64]"
irb(main):002:0> require 'openssl'
=> true
—
Reply to this email directly or view it on GitHub.

[jontonsoup]

Better backtrace
https://gist.github.com/jontonsoup/6789306

[mkristian]

what about
$ jruby -S gem list jruby-openssl
do you have older jruby-openssl gems installed ? if yes - you could try
uninstall them and see if that helps.

On Wed, Oct 2, 2013 at 5:59 AM, Jonathan Friedman
notifications@github.comwrote:

Better backtrace
https://gist.github.com/jontonsoup/6789306

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/1055#issuecomment-25513439
.

[jontonsoup]

[Jonathan]: jruby -S gem list jruby-openssl

Error loading RubyGems plugin "/Users/Jonathan/.rvm/gems/jruby-1.7.4@global/gems/executable-hooks-1.2.3/lib/rubygems_plugin.rb": setting default path failed: problem creating X509 Aux certificate: java.io.IOException: problem parsing cert: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed (OpenSSL::X509::StoreError)

*** LOCAL GEMS ***

jruby-openssl (0.9.0)

[mkristian]

sorry did not read everything first, but it looks like you have certifacte
in your system which java does not like. not sure where on MacOS those
certs are - on my debian linux it is /etc/ssl/certs

google has quite some list with such IOException
http://lmgtfy.com/?q=java.io.IOException%3A+Duplicate+extensions+not+allowed

maybe that helps.

-christian

On Wed, Oct 2, 2013 at 12:38 PM, Jonathan Friedman <notifications@github.com

wrote:

[Jonathan]: jruby -S gem list jruby-openssl

Error loading RubyGems plugin "/Users/Jonathan/.rvm/gems/jruby-1.7.4@global/gems/executable-hooks-1.2.3/lib/rubygems_plugin.rb":
setting default path failed: problem creating X509 Aux certificate:
java.io.IOException: problem parsing cert:
java.security.cert.CertificateParsingException: java.io.IOException:
Duplicate extensions not allowed (OpenSSL::X509::StoreError)

*** LOCAL GEMS ***

jruby-openssl (0.9.0)

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/1055#issuecomment-25531906
.

[jontonsoup]

Well, I thought that at first, but there are two things that have made me think that might not be the case: 1. "problem creating X509 Aux certificate" It seems there is a problem creating a certificate... not reading one. 2. I deleted all the certificates on my computer and I still get this error

[masterkain]

I have the same issue, jruby-head, OSX 10.9

OpenSSL::X509::StoreError: setting default path failed: problem creating X509 Aux certificate: java.io.IOException: problem parsing cert: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
  set_default_paths at org/jruby/ext/openssl/X509Store.java:162
         SSLContext at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/jopenssl19/openssl/ssl-internal.rb:31
                SSL at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/jopenssl19/openssl/ssl-internal.rb:22
            OpenSSL at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/jopenssl19/openssl/ssl-internal.rb:21
             (root) at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/jopenssl19/openssl/ssl-internal.rb:20
               load at org/jruby/RubyKernel.java:884
             (root) at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/openssl/ssl-internal.rb:1
            require at org/jruby/RubyKernel.java:866
             (root) at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/openssl/ssl-internal.rb:2
               load at org/jruby/RubyKernel.java:884
             (root) at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/jopenssl19/openssl.rb:1
            require at org/jruby/RubyKernel.java:866
             (root) at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/jopenssl19/openssl.rb:21
            require at org/jruby/RubyKernel.java:866
             (root) at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/jopenssl/load.rb:1
               each at org/jruby/RubyArray.java:1580
             (root) at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/jopenssl/load.rb:18
               each at org/jruby/RubyArray.java:1580
             (root) at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/jruby-openssl.rb:1
             (root) at /Users/kain/.rvm/gems/jruby-head@myapp/gems/jruby-openssl-0.9.4/lib/jruby-openssl.rb:5
             (root) at /Users/kain/.rvm/gems/jruby-head@global/gems/bundler-1.3.5/lib/bundler/runtime.rb:1
            require at org/jruby/RubyKernel.java:866
            require at /Users/kain/.rvm/gems/jruby-head@global/gems/bundler-1.3.5/lib/bundler/runtime.rb:72
            require at org/jruby/RubyKernel.java:866
            require at /Users/kain/.rvm/gems/jruby-head@global/gems/bundler-1.3.5/lib/bundler/runtime.rb:70
            require at org/jruby/RubyKernel.java:866
            require at /Users/kain/.rvm/gems/jruby-head@global/gems/bundler-1.3.5/lib/bundler/runtime.rb:59
               load at org/jruby/RubyKernel.java:884
            require at /Users/kain/.rvm/gems/jruby-head@global/gems/bundler-1.3.5/lib/bundler.rb:132
               each at org/jruby/RubyArray.java:1580
             (root) at /Users/kain/Sites/myapp/rails/config/application.rb:13
             (root) at /Users/kain/Sites/myapp/rails/config/environment.rb:1
             (root) at /Users/kain/Sites/myapp/rails/config/environment.rb:2
             (root) at /Users/kain/Sites/myapp/rails/spec/spec_helper.rb:1

[michaelklishin]

I have the same issue with 1.7.5 on Oracle JDK 7 (1.7.0_45) on OS X 10.9.

[michaelklishin]

After some investigation it seems that the issue is with /usr/lib/ssl/cert.pem specifically. Perhaps it contains duplicates but I still need to verify that.

[masterkain]

I found that temporarily wiping /usr/local/etc/ssl make the problem to not appear.
In this folder there is cert.pem, which is a file touched by the autolibs rvm process before installing rubies.

[wedgemartin]

Confirmed to be a problem with the local cert.pem.

[jordansissel]

I get this when loading /usr/lib/ssl/cert.pem on OSX 10.9, JRuby 1.7.8, jruby-openssl (0.9.4)

This snippet of code:

    @certificate_store = OpenSSL::X509::Store.new
    if File.readable?(OpenSSL::X509::DEFAULT_CERT_FILE)
        @certificate_store.add_file(OpenSSL::X509::DEFAULT_CERT_FILE)
    end

[vijayj]

I am having similar issues on mac osx 10.9. I am using jruby-1.7.8 with rvm and jruby-openssl (0.9.4). I was wondering if there are any updates on this issue. Please let me know how I can help.

I am using logstash as well

vijay:10:39:17 ~/learn/logstash 35 > java -jar lib/logstash.jar agent -f fetcher.conf
Using milestone 2 input plugin 'tcp'. This plugin should be stable, but if you see strange behavior, please let us know! For more information on plugin milestones, see http://logstash.net/docs/1.2.2/plugin-milestones {:level=>:warn}
Using milestone 2 output plugin 'elasticsearch_http'. This plugin should be stable, but if you see strange behavior, please let us know! For more information on plugin milestones, see http://logstash.net/docs/1.2.2/plugin-milestones {:level=>:warn}
Exception in thread "LogStash::Runner" org.jruby.exceptions.RaiseException: (StoreError) loading file failed: problem creating X509 Aux certificate: java.io.IOException: problem parsing cert: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed
at org.jruby.ext.openssl.X509Store.add_file(org/jruby/ext/openssl/X509Store.java:151)
at RUBY.initialize(file:/Users/vijay/learn/logstash/lib/logstash-1.2.2-flatjar.jar!/ftw/agent.rb:70)
at RUBY.register(file:/Users/vijay/learn/logstash/lib/logstash-1.2.2-flatjar.jar!/logstash/outputs/elasticsearch_http.rb:53)
at org.jruby.RubyArray.each(org/jruby/RubyArray.java:1613)
at RUBY.outputworker(file:/Users/vijay/learn/logstash/lib/logstash-1.2.2-flatjar.jar!/logstash/pipeline.rb:208)
at RUBY.start_outputs(file:/Users/vijay/learn/logstash/lib/logstash-1.2.2-flatjar.jar!/logstash/pipeline.rb:140)

[romanukyan]

Downloading http://curl.haxx.se/ca/cacert.pem and adding
export SSL_CERT_FILE=PATH_TO_THe_DOWNLOADED_FILE/cacert.pem to the .bash_profile
fixed the problem for me

[momer]

👍 @romanukyan that resolved it for me.

[headius]

This is sounding like an environment issue, but if anyone has evidence that JRuby's not doing something right (or if we're perhaps too strict about cert file), please reopen with that evidence.

[momer]

Here's a description of the issue:

If you're using a gem that uses a local ca_certs.pem file, and your ENV["SSL_CERT_FILE"] is != to that particular path, then you'll get this issue.

I tried placing the exact same ca_certs.pem file in /usr/local/etc/certs that I wanted to use in my application, but loading in one from /Users/me/project/config/certs/ca_certs.pem and it raised the error.

Once I changed the ENV["SSL_CERT_FILE"] to /Users/me/project/config/certs/ca_certs.pem, the errors went away.

As you can see, it's easy to work around for the one app/env/ca_certs file. Try to use more than one app locally, with different ca_certs.pem's, on the same dev machine, though, and you'll have errors.

[v1bh0r]

👍@romanukyan

[bijanx]

@romanukyan 's solution fixed it for me.

[cmthakur]

👍 @romanukyan Solution works for me

[docwhat]

If you're using OSX, you can use the workaround on jruby/jruby-openssl#56

[liveh2o]

That workaround worked for me, @docwhat. Thanks!

[sushma-unii]

@romanukyan that resolved it for me.

[basmoura]

same here for @romanukyan solution, it solved my issue.

[abhaynahar]

@romanukyan thanks, it resolved the issue, do you know exactly why was it resolved?

[ChrisBr]

ruby-amqp/bunny#555