Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add GlobalSign Root CA - R3 cert and remove outdated certs #4100

Merged
merged 1 commit into from Dec 7, 2020

Conversation

@sonalkr132
Copy link
Member

@sonalkr132 sonalkr132 commented Dec 6, 2020

root CA of rubygems.org (and all subdomains) was updated from GlobalSign Organization Validation CA - SHA256 - G2 to GlobalSign Root CA - R3.
GlobalSignRootCA.pem was previously used to verify server cert if system certs could not verify rubygems.org cert.

What was the end-user or developer problem that led to this PR?

Fixes when rubygem.org cert could not be verified by using system certs:

SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)                                          

closes: #4099

What is your fix for the problem, implemented in this PR?

add GlobalSign R3 CA cert. used here to configure remove fetcher.

Make sure the following tasks are checked

root CA of rubygems.org (and all subdomains) was updated from
GlobalSign Organization Validation CA - SHA256 - G2 to GlobalSign Root
CA - R3.

GlobalSignRootCA.pem was previously used to verify server cert if
system certs could not verify rubygems.org cert
hsbt
hsbt approved these changes Dec 7, 2020
@hsbt
Copy link
Member

@hsbt hsbt commented Dec 7, 2020

@sonalkr132 Thanks! I will backport this to RG 2.7, 3.0 and 3.1.

Loading

@hsbt hsbt merged commit 9bb7da6 into rubygems:master Dec 7, 2020
45 checks passed
Loading
hsbt added a commit that referenced this issue Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs
hsbt added a commit that referenced this issue Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs
hsbt added a commit that referenced this issue Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs
hsbt added a commit that referenced this issue Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs
@sonalkr132
Copy link
Member Author

@sonalkr132 sonalkr132 commented Dec 7, 2020

Thanks. Perhaps we should wait until @dwradcliffe confirms the removal of the old cert.
AddTrustExternalCARoot.pem was expired so it is fine to remove that. DigiCertHighAssuranceEVRootCA.pem is for cloudfront and I am positively sure that we don't have any CloudFront endpoints, however, a confirmation would be nice. It was added more than seven years ago.

Loading

@hsbt
Copy link
Member

@hsbt hsbt commented Dec 7, 2020

Ah, OK. I'm waiting to release the new versions of rubygems until approval from @dwradcliffe .

Loading

@indirect
Copy link
Member

@indirect indirect commented Dec 7, 2020

I can confirm that we previously used CloudFront as the S3 CDN, and we now use Fastly instead. It is ok to remove DigiCertHighAssuranceEVRootCA.pem. 👍🏻

Loading

deivid-rodriguez added a commit that referenced this issue Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs

(cherry picked from commit 9bb7da6)
@dwradcliffe
Copy link
Member

@dwradcliffe dwradcliffe commented Dec 7, 2020

I think there was still a cloudfront domain setup for legacy clients buts it’s probably time to stop supporting that.
👍🏻

Loading

deivid-rodriguez added a commit that referenced this issue Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs

(cherry picked from commit 9bb7da6)
@sonalkr132 sonalkr132 mentioned this pull request Dec 7, 2020
4 tasks
@sonalkr132 sonalkr132 deleted the update-certs branch Dec 7, 2020
deivid-rodriguez added a commit that referenced this issue Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs

(cherry picked from commit 9bb7da6)
matzbot pushed a commit to ruby/ruby that referenced this issue Dec 9, 2020
64kramsystem added a commit to 64kramsystem/ruby-packer-dev that referenced this issue Feb 17, 2021
The bundled Rubygems certificate `AddTrustExternalCARoot.pem` is outdated; replaced it with the current `GlobalSignRootCA_R3.pem`, from the Rubygems project.

See:

- rubygems/rubygems#4099
- rubygems/rubygems#4100
- https://github.com/rubygems/rubygems/blob/master/lib/rubygems/ssl_certs/rubygems.org/GlobalSignRootCA_R3.pem
64kramsystem added a commit to 64kramsystem/ruby-packer-dev that referenced this issue Feb 17, 2021
The bundled Rubygems certificate `AddTrustExternalCARoot.pem` is outdated; replaced it with the current `GlobalSignRootCA_R3.pem`, from the Rubygems project.

See:

- rubygems/rubygems#4099
- rubygems/rubygems#4100
- https://github.com/rubygems/rubygems/blob/master/lib/rubygems/ssl_certs/rubygems.org/GlobalSignRootCA_R3.pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked issues

Successfully merging this pull request may close these issues.

6 participants