Update Actions, test certs, test code [changelog skip]

[MSP-Greg]

Description

Certs used for testing are outdated, and no longer work with Ubuntu 20.04. The certs also fail if OpenSSL::SSL::SSLContext#security_level is set to 2 or higher.

PR updates Actions, updates all certs used, and provides code/instructions for updating them. Minor changes to test_puma_server_ssl.rb.

First commit is done to show that tests are failing with Ubuntu 20.04. All MRI builds using OpenSSL 1.1.1 failed. See CI:
https://github.com/puma/puma/actions/runs/199729320

After two commits added with the fixes, all Ubuntu MRI passed. See:
https://github.com/puma/puma/actions/runs/199798150

At present, both jruby and jruby-head won't compile on Ubuntu-20.04, so their CI is left on Ubuntu-18.04.

Closes #2330
Closes #2147

Your checklist for this pull request

• I have reviewed the guidelines for contributing to this repository.
• I have added an entry to History.md if this PR fixes a bug or adds a feature. If it doesn't need an entry to HISTORY.md, I have added [changelog skip] the pull request title.
• I have added appropriate tests if this PR fixes a bug or adds a feature.
• My pull request is 100 lines added/removed or less so that it can be easily reviewed.
• If this PR doesn't need tests (docs change), I added [ci skip] to the title of the PR.
• If this closes any issues, I have added "Closes #issue" to the PR description or my commit messages.
• I have updated the documentation accordingly.
• All new and existing tests passed, including Rubocop.

[MSP-Greg]

@pvalena

If you have time, could you please check and see if this PR fixes the SSL issues you've had?

[dentarg]

@MSP-Greg does this also solve #2147?

[MSP-Greg]

Last force push updated examples/puma/keystore.jks, which I overlooked. All green...

[nateberkopec]

I see the value in doing some separate Ubuntu 20/18 testing, but why pin our mac and windows tests too?

[MSP-Greg]

I don't have strong feeling about it.

Right now, ubuntu-latest is 18.04. I don't like pinning Ruby versions, but I think OS's is reasonable, and for a person unfamiliar with Actions, the numeric callout is clear?

I can add some MRI Ruby to ubuntu-18.04. Thoughts?

[nateberkopec]

It's just kinda a weird situation where ubuntu "latest" is not 20.04.

I think we just test the latest MRI Ruby version on 20.04. That seems like enough coverage IMO.

[MSP-Greg]

It's just kinda a weird situation where ubuntu "latest" is not 20.04.

I have a lot of Actions bookmarks, but somewhere they have listings of dates re runner OS's. etc. I'll look for it (later), and add it to the workflow. IOW, I think it's where they'd announce when 20.04 will become 'latest'. I wouldn't be surprised if they deprecate the 'latest' concept. Note that every change here was needed to get 20.04 CI to pass...

Maybe test MRI head, 2.7 & 2.5 on 20.04, and run all the tests on 18.04, as was done previously?

Or, what would you like? I'm working on #2337...

[dentarg]

I have a lot of Actions bookmarks

Me too :)

https://docs.github.com/en/actions/reference/software-installed-on-github-hosted-runners says "Note: The Ubuntu 20.04 virtual environment is currently provided as a preview only." (https://github.com/actions/virtual-environments#available-environments says the same thing)

According to actions/runner-images#1430 there doesn't seem to be any date set when the preview period will be over.

[MSP-Greg]

I may have been mistaken, but they often pin issues (https://github.com/actions/virtual-environments/issues), I think that was the case when they thought they'd remove windows-2016, which people complained about...

[voxik]

The "All certs updated except examples/puma/keystore.jks" of 2nd commit is not true anymore I believe.

[voxik]

@pvalena

If you have time, could you please check and see if this PR fixes the SSL issues you've had?

I have tried to backport this PR for puma 4.3.6, but I am battling with TestPumaServerSSLClient#test_verify_client_cert. It is throwing #<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unspecified certificate verification error)> exception. Any hint what I am missing?

[MSP-Greg]

@voxik

Re JRuby, I can't get the TestPumaServerSSLClient tests to pass on Actions or locally, but the TestPumaServerSSL tests seem ok.

Working on it. I think some of the JRuby OpenSSL tests weren't run when I opened this PR...

[voxik]

JRuby

Just FTR, I am testing on MRI

[MSP-Greg]

@nateberkopec

Updated and passing (fixed a typo or two, JRuby issue, and rebased). It's running MRI 2.5, 2.7 & head on Ubuntu 20.04, and left the 18.04 jobs as is. Personally, I'd like to stop using job 'includes', so all jobs sort by OS. Thoughts? Be happy to do one more push...

[MSP-Greg]

@voxik

See the commits listed on 'Sept 7' at https://github.com/MSP-Greg/puma/commits/4.3.6-ssl-fixtures for a 4.3.6 backport. CI passes with a few Ubuntu 20.04 jobs.

[voxik]

It seems I have managed to make it work on Fedora Rawhide. I was probably missing this hunk:

   def assert_ssl_client_error_match(error, subject=nil, &blk)
-    host = "127.0.0.1"
+    host = "localhost"
     port = UniquePort.call

because I had some issues with previous versions of this patch. But now it LGTM.

[MSP-Greg]

@voxik

I had some issues with previous versions of this patch

Running it both locally and on Actions (with Ubuntu 20.04), I did make a change recently:

puma/test/test_puma_server_ssl.rb

Line 278 in 4ab2bc4

host_addrs = server.binder.ios.map { |io| io.to_io.addr[2] }

puma/test/test_puma_server_ssl.rb

Line 305 in 4ab2bc4

assert_includes host_addrs, events.addr if error

Without that, on some systems, the old assert failed, as both IPv4 & IPv6 hosts existed...

Anyway, glad it's passing on Fedora Rawhide.

@nateberkopec

The commits as included may cause a failure if one needed to bisect. I'll rebase & reorder them.

[voxik]

Without that, on some systems, the old assert failed, as both IPv4 & IPv6 hosts existed...

Yep, I mildly remember ~3 issues with ::1 referenced somewhere in place of localhost. So that must be it.

[nateberkopec]

Brilliant work as usual, Greg!