Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default CA store doesn't work #539

Closed
carlhoerberg opened this issue Jan 10, 2018 · 11 comments
Closed

Default CA store doesn't work #539

carlhoerberg opened this issue Jan 10, 2018 · 11 comments
Labels
bug

Comments

@carlhoerberg
Copy link
Contributor

@carlhoerberg carlhoerberg commented Jan 10, 2018

Looks like the default CA path is broken in Bunny 2.9.0

$ ruby -rbunny -e 'Bunny.new("amqps://user:pass@srv.rmq.cloudamqp.com").start'
E, [2018-01-10T14:22:42.423885 #30918] ERROR -- #<Bunny::Session:0x7ff9b596ee00 @84codes-prod-a.rmq.cloudamqp.com:5671, vhost=, addresses=[srv.rmq.cloudamqp.com:5671]>: No CA certificates found, add one with :tls_ca_certificates
W, [2018-01-10T14:22:42.424063 #30918]  WARN -- #<Bunny::Session:0x7ff9b596ee00 @84codes-prod-a.rmq.cloudamqp.com:5671, vhost=, addresses=[srv.rmq.cloudamqp.com:5671]>: Using TLS but no client certificate is provided! If RabbitMQ is configured to verify peer
certificate, connection upgrade will fail!

Traceback (most recent call last):
        3: from -e:1:in `<main>'
        2: from /Users/carl/.rbenv/versions/2.5.0/lib/ruby/gems/2.5.0/gems/bunny-2.9.0/lib/bunny/session.rb:304:in `start'
        1: from /Users/carl/.rbenv/versions/2.5.0/lib/ruby/gems/2.5.0/gems/bunny-2.9.0/lib/bunny/transport.rb:81:in `connect'
/Users/carl/.rbenv/versions/2.5.0/lib/ruby/gems/2.5.0/gems/bunny-2.9.0/lib/bunny/transport.rb:81:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)

Has worked very good up until now.

@michaelklishin
Copy link
Member

@michaelklishin michaelklishin commented Jan 10, 2018

Can you please do the same with debug logging?

I suspect it's a side effect of #534.

@carlhoerberg
Copy link
Contributor Author

@carlhoerberg carlhoerberg commented Jan 10, 2018

@michaelklishin
Copy link
Member

@michaelklishin michaelklishin commented Jan 10, 2018

I suggest that we add more debug logging around CA certificate directories before working on a fix.

@carlhoerberg
Copy link
Contributor Author

@carlhoerberg carlhoerberg commented Jan 10, 2018

Array(nil) => [] so default_tls_certificates will never be called

@michaelklishin
Copy link
Member

@michaelklishin michaelklishin commented Jan 10, 2018

@carlhoerberg good catch. Forcing the default if tls_ca_certificates_paths_from returns an empty list is what I'd do.

@michaelklishin
Copy link
Member

@michaelklishin michaelklishin commented Jan 11, 2018

Out in 2.9.1.

bgeuken added a commit to bgeuken/open-build-service that referenced this issue Jan 17, 2018
because depfu is too slow.

This applies a bugfix for bunny which was causing any connection to
rabbitmq to fail (see PR#4362)-

Related bunny issue / PR:
  ruby-amqp/bunny#539
  ruby-amqp/bunny#540
bgeuken added a commit to bgeuken/open-build-service that referenced this issue Jan 17, 2018
because depfu is too slow.

This applies a bugfix for bunny which was causing any connection to
rabbitmq to fail (see PR#4362)-

Related bunny issue / PR:
  ruby-amqp/bunny#539
  ruby-amqp/bunny#540
@bgeuken
Copy link

@bgeuken bgeuken commented Jan 17, 2018

@michaelklishin Could you add an entry for this to the changelog?
We just ran into this issue and it would have helped to have it there. Though we should have looked through the closed issues earlier. But that's a different story^^

@michaelklishin
Copy link
Member

@michaelklishin michaelklishin commented Jan 17, 2018

@michaelklishin
Copy link
Member

@michaelklishin michaelklishin commented Jan 17, 2018

I will add a README section that links to release notes for the current/last 2-3 release series.

@bgeuken
Copy link

@bgeuken bgeuken commented Jan 18, 2018

Oh, I see. I was only checking the readme of the master branch. And since there was a 2.9.0 tag but none for 2.9.1, I jumped to the wrong conclusion. I should have checked that branch as well^^

Thanks for clarifying, and for maintaining this gem:-) Very much appreciated!

michaelklishin added a commit that referenced this issue Jan 18, 2018
michaelklishin added a commit that referenced this issue Jan 18, 2018
See #539 (comment).

(cherry picked from commit 621532a)
michaelklishin added a commit that referenced this issue Jan 18, 2018
See #539 (comment).

(cherry picked from commit 621532a)
@michaelklishin
Copy link
Member

@michaelklishin michaelklishin commented Jan 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.