New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default CA store doesn't work #539

Closed
carlhoerberg opened this Issue Jan 10, 2018 · 11 comments

Comments

Projects
None yet
3 participants
@carlhoerberg
Contributor

carlhoerberg commented Jan 10, 2018

Looks like the default CA path is broken in Bunny 2.9.0

$ ruby -rbunny -e 'Bunny.new("amqps://user:pass@srv.rmq.cloudamqp.com").start'
E, [2018-01-10T14:22:42.423885 #30918] ERROR -- #<Bunny::Session:0x7ff9b596ee00 @84codes-prod-a.rmq.cloudamqp.com:5671, vhost=, addresses=[srv.rmq.cloudamqp.com:5671]>: No CA certificates found, add one with :tls_ca_certificates
W, [2018-01-10T14:22:42.424063 #30918]  WARN -- #<Bunny::Session:0x7ff9b596ee00 @84codes-prod-a.rmq.cloudamqp.com:5671, vhost=, addresses=[srv.rmq.cloudamqp.com:5671]>: Using TLS but no client certificate is provided! If RabbitMQ is configured to verify peer
certificate, connection upgrade will fail!

Traceback (most recent call last):
        3: from -e:1:in `<main>'
        2: from /Users/carl/.rbenv/versions/2.5.0/lib/ruby/gems/2.5.0/gems/bunny-2.9.0/lib/bunny/session.rb:304:in `start'
        1: from /Users/carl/.rbenv/versions/2.5.0/lib/ruby/gems/2.5.0/gems/bunny-2.9.0/lib/bunny/transport.rb:81:in `connect'
/Users/carl/.rbenv/versions/2.5.0/lib/ruby/gems/2.5.0/gems/bunny-2.9.0/lib/bunny/transport.rb:81:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (OpenSSL::SSL::SSLError)

Has worked very good up until now.

@michaelklishin

This comment has been minimized.

Show comment
Hide comment
@michaelklishin

michaelklishin Jan 10, 2018

Member

Can you please do the same with debug logging?

I suspect it's a side effect of #534.

Member

michaelklishin commented Jan 10, 2018

Can you please do the same with debug logging?

I suspect it's a side effect of #534.

@carlhoerberg

This comment has been minimized.

Show comment
Hide comment
@carlhoerberg
Contributor

carlhoerberg commented Jan 10, 2018

@michaelklishin

This comment has been minimized.

Show comment
Hide comment
@michaelklishin

michaelklishin Jan 10, 2018

Member

I suggest that we add more debug logging around CA certificate directories before working on a fix.

Member

michaelklishin commented Jan 10, 2018

I suggest that we add more debug logging around CA certificate directories before working on a fix.

@carlhoerberg

This comment has been minimized.

Show comment
Hide comment
@carlhoerberg

carlhoerberg Jan 10, 2018

Contributor

Array(nil) => [] so default_tls_certificates will never be called

Contributor

carlhoerberg commented Jan 10, 2018

Array(nil) => [] so default_tls_certificates will never be called

@michaelklishin

This comment has been minimized.

Show comment
Hide comment
@michaelklishin

michaelklishin Jan 10, 2018

Member

@carlhoerberg good catch. Forcing the default if tls_ca_certificates_paths_from returns an empty list is what I'd do.

Member

michaelklishin commented Jan 10, 2018

@carlhoerberg good catch. Forcing the default if tls_ca_certificates_paths_from returns an empty list is what I'd do.

@michaelklishin

This comment has been minimized.

Show comment
Hide comment
@michaelklishin

michaelklishin Jan 11, 2018

Member

Out in 2.9.1.

Member

michaelklishin commented Jan 11, 2018

Out in 2.9.1.

bgeuken added a commit to bgeuken/open-build-service that referenced this issue Jan 17, 2018

[frontend] Update bunny to 2.9.1
because depfu is too slow.

This applies a bugfix for bunny which was causing any connection to
rabbitmq to fail (see PR#4362)-

Related bunny issue / PR:
  ruby-amqp/bunny#539
  ruby-amqp/bunny#540

bgeuken added a commit to bgeuken/open-build-service that referenced this issue Jan 17, 2018

[frontend] Update bunny to 2.9.1
because depfu is too slow.

This applies a bugfix for bunny which was causing any connection to
rabbitmq to fail (see PR#4362)-

Related bunny issue / PR:
  ruby-amqp/bunny#539
  ruby-amqp/bunny#540
@bgeuken

This comment has been minimized.

Show comment
Hide comment
@bgeuken

bgeuken Jan 17, 2018

@michaelklishin Could you add an entry for this to the changelog?
We just ran into this issue and it would have helped to have it there. Though we should have looked through the closed issues earlier. But that's a different story^^

bgeuken commented Jan 17, 2018

@michaelklishin Could you add an entry for this to the changelog?
We just ran into this issue and it would have helped to have it there. Though we should have looked through the closed issues earlier. But that's a different story^^

@michaelklishin

This comment has been minimized.

Show comment
Hide comment
Member

michaelklishin commented Jan 17, 2018

@michaelklishin

This comment has been minimized.

Show comment
Hide comment
@michaelklishin

michaelklishin Jan 17, 2018

Member

I will add a README section that links to release notes for the current/last 2-3 release series.

Member

michaelklishin commented Jan 17, 2018

I will add a README section that links to release notes for the current/last 2-3 release series.

@bgeuken

This comment has been minimized.

Show comment
Hide comment
@bgeuken

bgeuken Jan 18, 2018

Oh, I see. I was only checking the readme of the master branch. And since there was a 2.9.0 tag but none for 2.9.1, I jumped to the wrong conclusion. I should have checked that branch as well^^

Thanks for clarifying, and for maintaining this gem:-) Very much appreciated!

bgeuken commented Jan 18, 2018

Oh, I see. I was only checking the readme of the master branch. And since there was a 2.9.0 tag but none for 2.9.1, I jumped to the wrong conclusion. I should have checked that branch as well^^

Thanks for clarifying, and for maintaining this gem:-) Very much appreciated!

michaelklishin added a commit that referenced this issue Jan 18, 2018

michaelklishin added a commit that referenced this issue Jan 18, 2018

Link to change logs per release series
See #539 (comment).

(cherry picked from commit 621532a)

michaelklishin added a commit that referenced this issue Jan 18, 2018

Link to change logs per release series
See #539 (comment).

(cherry picked from commit 621532a)
@michaelklishin

This comment has been minimized.

Show comment
Hide comment
@michaelklishin
Member

michaelklishin commented Jan 18, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment