-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Contribsys repo intermediary cert expired - bundle install fails with Could not verify the SSL certificate for https://gems.contribsys.com/ #5008
Comments
The certificate seems to work with > require 'net/https'
> Net::HTTP.get(URI("https://gems.contribsys.com"))
=> "This is Contributed Systems' Sidekiq Pro repo.\n" |
We got the same issue |
tl;dr: update ruby and openssl. |
|
Updating bundler to >= 2.2 may be useful as well since older versions were using different ssl handling https://bundler.io/blog/2020/12/09/bundler-v2-2.html |
Same here, using jruby docker image jruby:9.2.14.0-jdk. |
My current understanding: the core issue is that your system's trusted set of root certificates is years out of date. I can't update your system nor do I know how to do so because every system is different. The typical procedure is to update your operating system (e.g. Ubuntu 14.04 to 20.04) or OpenSSL package to get the latest certificate bundle included with it. On Debian/Ubuntu, see the
|
FYI we see this error on the latest Amazon Linux 2 AMI, you can check by launching an EC2 instance from public AMI
Edit: I think the openssl version I posted at first was wrong, ignore that, it's probably "1.0.2k-fips" |
It appears to be a problem on google appengine's flex ruby environment as well. guess i'm SOL until google fixes it, unless i want to switch to a custom environment and build my own docker image. ugh. |
On Amazon Linux 2 we worked around this today by punting the expired certificate into the PKI blacklist on our machines:
I took the ID from
|
We're using an AmazonLinux2 container for AWS CodeBuild, and @dannyfallon's one line'r fixed it for us. |
which one liner? I'm also using AmazonLinux2 with EBS, can you please help |
|
It is not working on
|
Any other alternative? |
Try using AmazonLinux2. You seem to be on AmazonLinux. |
Any other workaround for AmazonLinux? |
@vishalzambre This works for me on Amazon Linux 1:
|
I'm getting now |
Now I can see
But still bundle install failing
|
Is the ISRG Root X1 CA in your cert store? On AmazonLinux2 it's at |
I can see
|
That's good.
|
Not sure you have any interest in doing this Mike, but from reading this evening I think that you can support older OpenSSL versions (and things based on those), at the expense of Android >4, <7.1.1 support if you generate a new certificate using the |
Finally below snippet worked for me
|
Ahh it is really nice |
Any solution for applications hosted on AWS Elastic Beanstalk? |
You can use this command on AWS EB |
If you are using Rails on AWS Elastic Beanstalk, you have to implement the ssl fix before the gems are installed. I created a file named "/.ebextensions/000_ssl_fix.config" with these contents:
|
Having this same problem in Travis CI using "dist: xenial" we are working through some solutions to this and will post if we find something. |
I think I fixed it in an old xenial CI docker container by:
After that I get this:
But I haven't tried it yet for the real deal and there are a lot of moving parts when it comes to legacy systems, YMMV |
tried creating image with Jruby 9.2 and JDK 8 with base Ubuntu 20.04 require 'net/https'
Net::HTTP.get(URI('https://gems.contribsys.com')) throws error
looks like bug with related issues: |
Reviewing my own preliminary solution I can confirm this issue is solved in my CI system (several legacy MRI rubies in ubuntu 16.04) by just adding these steeps as root: sed 's/mozilla.DST_Root_CA_X3.crt/!mozilla\/DST_Root_CA_X3.crt/' -i /etc/ca-certificates.conf
update-ca-certificates Also worked in different combinations of debian / ubuntu systems and several MRI rubies. |
@DaveCollinsJr We are having the same issues on travis. I've been in contact with them and nothing they have suggested works. We previously used If anyone finds this looking for the travis issue what they suggested was:
or
The above haven't worked for me as of yet. I'm currently stripping down our |
This worked for me on travis! Thank you! |
@dandynaufaldi We're also seeing this issue on JRuby, and the ca-certificates.conf workaround doesn't help there as it's using its own openssl implementation |
Status update: the server cert has been renewed but still contains the expired root, as this is Let’s Encrypt’s choice. If the server is still not working for you, it is because your software is using an older version of OpenSSL which is incompatible. |
#5008 (comment) - if you follow this advice, and re-issue the cert for gems.contribsys.com the root CA certficiate will look like:
and most likely all problems for JRuby and others will end (except some android devices on certain versions, possibly). |
@igcherkaev ubuntu 20.04 has certbot 0.40 which does not support the preferred chain option, else I would have done this. As is, I can't tell which of the two roots in fullchain.pem to exclude. |
For the record: For those with issues on AWS Linux 2 I believe |
|
Running on a docker base image of |
@brendanstennett I have a potential fix which I will roll out later tonight after US business hours. The fix should last until early December, when the cert renews again. |
I've removed the old, expired root reference. jruby-openssl should work now. |
@mperham You mentioned that the fix implemented in #5008 (comment) should last until early December. We are using sidekiq-pro, and our builds are newly failing due to this issue |
@KLForsythe The cert has not changed since Oct 15th and no one else is reporting a problem. I'm giving one quarter for people to roll out any necessary client upgrades (LE certs renew every quarter). The current cert expires on Jan 5 2022 so it will be renewed very soon. |
mac os 12.1
to make it work without ENV variable, with RVM
upd:
|
Similar to #4583, bundle install is failing with
Trying https://www.ssllabs.com/ssltest/analyze.html?d=gems.contribsys.com reveals an expired cert
![image](https://user-images.githubusercontent.com/14118064/135488373-44eb4882-0c2f-4390-a524-1eb8754776a4.png)
The text was updated successfully, but these errors were encountered: