logstash-input-rss cant fetch various RSS feeds due to Error: certificate verify failed

[sthierolf]

logstash-input-rss cant fetch various RSS feeds due to Error: certificate verify failed
Checked forum for how-to disable, skip or ignore SSL certificate check.
Error for NIST feeds, Debian Security feeds. Looks like Feeds provided by websites running Let's Encrypt.
Looks like Ruby or JRuby does SSL different than openssl which might cause this issue?

• Version:
  logstash 7.15.0

• Operating System:
  Debian 11 Bullseye

• Config File:
  Simple input Filter for NIST NVD feed:

input {
  rss {
    url => "https://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss.xml"
    interval => 3600
    id => "rss-nist-nvd"
    tags => ["cert", "usa", "nist"]
  }
}

• Sample Data:
  Started with: /usr/share/logstash/bin/logstash --path.settings /etc/logstash --log.level debug

[2021-10-04T17:31:51,902][ERROR][logstash.javapipeline    ][main][rss-nist-nvd] A plugin had an unrecoverable error. Will restart this plugin.
  Pipeline_id:main
  Plugin: <LogStash::Inputs::Rss interval=>3600, id=>"rss-nist-nvd", url=>"https://nvd.nist.gov/feeds/xml/cve/misc/nvd-rss.xml", tags=>["cert", "usa", "nist"], enable_metric=>true, codec=><LogStash::Codecs::Plain id=>"plain_059720a1-f3c2-42f3-90ea-d04827ee3035", enable_metric=>true, charset=>"UTF-8">>
  Error: certificate verify failed
  Exception: Faraday::SSLError

• Steps to Reproduce:
  Create input filter with above RSS feed URL.

[jsvd]

Thank you for the report, we're grouping these in elastic/logstash#13261, but let's keep this one open as there may be fixes/workarounds specifically for this

[sthierolf]

As mentioned, DST Root CA X3 (Lets Encrypt) expired. Updated logstash to 7.17.0, the certificate verify failed error is solved.