Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Setting a CA certificate for a mirror repository through BUNDLE_SSL_CA_CERT doesn't seem to work #6048

Open
tichavskym opened this issue Nov 7, 2022 · 0 comments
Open

Setting a CA certificate for a mirror repository through BUNDLE_SSL_CA_CERT doesn't seem to work #6048

tichavskym opened this issue Nov 7, 2022 · 0 comments
Labels
Bundler

Comments

@tichavskym
Copy link

Describe the problem as clearly as you can

When downloading dependencies through the mirror repository by executing bundle install, the execution fails on SSL "certificate verify failed (unable to get local issuer certificate)". The path to the CA certificate is configured using BUNDLE_SSL_CA_CERT, but it doesn't seem to work for the mirror repository.

Did you try upgrading rubygems & bundler?

Yes, using the latest Fedora Docker image and installing Ruby tools to make sure my system wide certificates are not used.

Post steps to reproduce the problem

Bundler is configured using .bundle/config

BUNDLE_MIRROR__ALL: "https://cachito-rubygems-92714:REDACTED@cachito-nexus.stage.engineering.redhat.com/repository/cachito-rubygems-hosted-92714/"
# Turn off the probing
BUNDLE_MIRROR__ALL__FALLBACK_TIMEOUT: "false"
BUNDLE_SSL_CA_CERT: "rubygems-proxy-ca.pem"

The mirror is a Nexus RubyGems repository, configured to use HTTPS.

Which command did you run?

bundle install

What were you expecting to happen?

I would expected this to download all dependencies, using the CA certificate that was provided in .bundle/config for verification of the server.

In other words, I would expect that it will have the same effect as SSL_CERT_FILE=rubygems-proxy-ca.pem bundle install that works just fine.

What actually happened?

...
Retrying download gem from https://cachito-rubygems-92714:REDACTED@cachito-nexus.stage.engineering.redhat.com/repository/cachito-rubygems-hosted-92714/ due to error (4/4): Gem::RemoteFetcher::FetchError SSL_connect returned=1 errno=0 peeraddr=10.0.78.73:443 state=error: certificate verify failed (unable to get local issuer certificate) (https://cachito-rubygems-92714:REDACTED@cachito-nexus.stage.engineering.redhat.com/repository/cachito-rubygems-hosted-92714/gems/zeitwerk-2.6.0.gem)

Bundler::HTTPError: Could not download gem from
https://cachito-rubygems-92714:REDACTED@cachito-nexus.stage.engineering.redhat.com/repository/cachito-rubygems-hosted-92714/ due to
underlying error <SSL_connect returned=1 errno=0 peeraddr=10.0.78.73:443 state=error: certificate verify failed (unable to get local issuer certificate)
(https://cachito-rubygems-92714:REDACTED@cachito-nexus.stage.engineering.redhat.com/repository/cachito-rubygems-hosted-92714/gems/zeitwerk-2.6.0.gem)>
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/rubygems_integration.rb:508:in `rescue in download_gem'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/rubygems_integration.rb:480:in `download_gem'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/source/rubygems.rb:527:in `download_gem'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/source/rubygems.rb:479:in `fetch_gem'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/source/rubygems.rb:165:in `install'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/installer/gem_installer.rb:54:in `install'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/installer/gem_installer.rb:16:in `install_from_spec'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/installer/parallel_installer.rb:186:in `do_install'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/installer/parallel_installer.rb:177:in `block in worker_pool'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/worker.rb:62:in `apply_func'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/worker.rb:57:in `block in process_queue'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/worker.rb:54:in `loop'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/worker.rb:54:in `process_queue'
  /usr/share/gems/gems/bundler-2.3.7/lib/bundler/worker.rb:91:in `block (2 levels) in create_threads'

An error occurred while installing zeitwerk (2.6.0), and Bundler cannot continue.
...

Going through the troubleshooting guide I'd say it's likely that BUNDLE_SSL_CA_CERT "rewrites" all certificates to the specified one, but uses it only for rubygems.org repository and not for the mirror.

If not included with the output of your command, run bundle env and paste the output below

[root@38c3a2c814e1 app]# bundle env
fatal: not a git repository (or any parent up to mount point /tmp/cachito-ruby)
Stopping at filesystem boundary (GIT_DISCOVERY_ACROSS_FILESYSTEM not set).

Environment

Bundler       2.3.7
  Platforms   ruby, x86_64-linux
Ruby          3.1.2p20 (2022-04-12 revision 4491bb740a9506d76391ac44bb2fe6e483fec952) [x86_64-linux]
  Full Path   /usr/bin/ruby
  Config Dir  /etc
RubyGems      3.3.7
  Gem Home    /tmp/cachito-ruby/remote-source/app/vendor/bundle/ruby/3.1.0
  Gem Path    /tmp/cachito-ruby/remote-source/app/vendor/bundle/ruby/3.1.0
  User Home   /root
  User Path   /root/.local/share/gem/ruby
  Bin Dir     /tmp/cachito-ruby/remote-source/app/vendor/bundle/ruby/3.1.0/bin
Tools         
  Git         2.38.1
  RVM         not installed
  rbenv       not installed
  chruby      not installed

Bundler Build Metadata

Built At          2022-11-07
Git SHA           unknown
Released Version  false

Bundler settings

deployment
  Set for your local app (/tmp/cachito-ruby/remote-source/app/.bundle/config): true
disable_local_branch_check
  Set for your local app (/tmp/cachito-ruby/remote-source/app/.bundle/config): true
force_ruby_platform
  Set for your local app (/tmp/cachito-ruby/remote-source/app/.bundle/config): true
frozen
  Set for your local app (/tmp/cachito-ruby/remote-source/app/.bundle/config): true
local.swagger-ui_rails
  Set for your local app (/tmp/cachito-ruby/remote-source/app/.bundle/config): "../deps/rubygems/github.com/RadPad/swagger-ui_rails/swagger-ui_rails-external-gitcommit-7234e21e621b628d6b43194f9ba5cce5ca587f16/app"
mirror.all
  Set for your local app (/tmp/cachito-ruby/remote-source/app/.bundle/config): "https://cachito-rubygems-92714:REDACTED@cachito-nexus.stage.engineering.redhat.com/repository/cachito-rubygems-hosted-92714/"
mirror.all.fallback_timeout
  Set for your local app (/tmp/cachito-ruby/remote-source/app/.bundle/config): false
ssl_ca_cert
  Set for your local app (/tmp/cachito-ruby/remote-source/app/.bundle/config): "rubygems-proxy-ca.pem"

Gemfile

Gemfile

source 'https://rubygems.org'

gem 'zeitwerk'
gem 'pathgem', path: 'vendor/pathgem'
gem 'swagger-ui_rails', git: 'https://github.com/RadPad/swagger-ui_rails.git', branch:  'master'

Gemfile.lock

GIT
  remote: https://github.com/RadPad/swagger-ui_rails.git
  revision: 7234e21e621b628d6b43194f9ba5cce5ca587f16
  branch: master
  specs:
    swagger-ui_rails (0.1.7)

PATH
  remote: vendor/pathgem
  specs:
    pathgem (1.0.0)

GEM
  remote: https://rubygems.org/
  specs:
    zeitwerk (2.6.0)

PLATFORMS
  ruby

DEPENDENCIES
  pathgem!
  swagger-ui_rails!
  zeitwerk

BUNDLED WITH
   2.2.33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bundler
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tichavskym