Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add GlobalSign Root CA - R3 cert and remove outdated certs #4100

Merged
merged 1 commit into from Dec 7, 2020

Conversation

@sonalkr132
Copy link
Member

@sonalkr132 sonalkr132 commented Dec 6, 2020

root CA of rubygems.org (and all subdomains) was updated from GlobalSign Organization Validation CA - SHA256 - G2 to GlobalSign Root CA - R3.
GlobalSignRootCA.pem was previously used to verify server cert if system certs could not verify rubygems.org cert.

What was the end-user or developer problem that led to this PR?

Fixes when rubygem.org cert could not be verified by using system certs:

SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)                                          

closes: #4099

What is your fix for the problem, implemented in this PR?

add GlobalSign R3 CA cert. used here to configure remove fetcher.

Make sure the following tasks are checked

root CA of rubygems.org (and all subdomains) was updated from
GlobalSign Organization Validation CA - SHA256 - G2 to GlobalSign Root
CA - R3.

GlobalSignRootCA.pem was previously used to verify server cert if
system certs could not verify rubygems.org cert
@bundlerbot bundlerbot added the RubyGems label Dec 6, 2020
@hsbt
hsbt approved these changes Dec 7, 2020
@hsbt
Copy link
Member

@hsbt hsbt commented Dec 7, 2020

@sonalkr132 Thanks! I will backport this to RG 2.7, 3.0 and 3.1.

@hsbt hsbt merged commit 9bb7da6 into rubygems:master Dec 7, 2020
45 checks passed
45 checks passed
install_rubygems_ubuntu (2.3.8, true)
Details
jruby_bundler
Details
macos_rubygems (2.4.10)
Details
ruby_core (rubygems)
Details
ubuntu_bundler (2.3.8)
Details
ubuntu_lint
Details
ubuntu_rubygems (2.3.8)
Details
windows_bundler (2.4)
Details
windows_rubygems (2.4.10)
Details
install_rubygems_ubuntu (2.3.8, false)
Details
macos_rubygems (2.5.8)
Details
ruby_core (bundler)
Details
ubuntu_bundler (2.4.10)
Details
ubuntu_rubygems (2.4.10)
Details
windows_bundler (2.5)
Details
windows_rubygems (2.5.8)
Details
install_rubygems_ubuntu (2.4.10, true)
Details
macos_rubygems (2.6.6)
Details
ubuntu_bundler (2.4.10, 3.0.0)
Details
ubuntu_rubygems (2.5.8)
Details
windows_bundler (2.6)
Details
windows_rubygems (2.6.6)
Details
install_rubygems_ubuntu (2.4.10, false)
Details
macos_rubygems (2.7.2)
Details
ubuntu_bundler (2.5.8)
Details
ubuntu_rubygems (2.6.6)
Details
windows_bundler (2.7)
Details
windows_rubygems (2.7.2)
Details
install_rubygems_ubuntu (2.5.8, true)
Details
ubuntu_bundler (2.5.8, 3.0.0)
Details
ubuntu_rubygems (2.7.2)
Details
install_rubygems_ubuntu (2.5.8, false)
Details
ubuntu_bundler (2.6.6)
Details
ubuntu_rubygems (jruby-9.2.11.1)
Details
install_rubygems_ubuntu (2.6.6, true)
Details
ubuntu_bundler (2.6.6, 3.0.0)
Details
ubuntu_rubygems (truffleruby-20.2.0)
Details
install_rubygems_ubuntu (2.6.6, false)
Details
ubuntu_bundler (2.7.2)
Details
install_rubygems_ubuntu (2.7.2, true)
Details
ubuntu_bundler (2.7.2, 3.0.0)
Details
install_rubygems_ubuntu (2.7.2, false)
Details
install_rubygems_ubuntu (jruby-9.2.11.1, true)
Details
install_rubygems_ubuntu (jruby-9.2.11.1, false)
Details
install_rubygems_windows
Details
hsbt added a commit that referenced this pull request Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs
hsbt added a commit that referenced this pull request Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs
hsbt added a commit that referenced this pull request Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs
hsbt added a commit that referenced this pull request Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs
@sonalkr132
Copy link
Member Author

@sonalkr132 sonalkr132 commented Dec 7, 2020

Thanks. Perhaps we should wait until @dwradcliffe confirms the removal of the old cert.
AddTrustExternalCARoot.pem was expired so it is fine to remove that. DigiCertHighAssuranceEVRootCA.pem is for cloudfront and I am positively sure that we don't have any CloudFront endpoints, however, a confirmation would be nice. It was added more than seven years ago.

@hsbt
Copy link
Member

@hsbt hsbt commented Dec 7, 2020

Ah, OK. I'm waiting to release the new versions of rubygems until approval from @dwradcliffe .

@indirect
Copy link
Member

@indirect indirect commented Dec 7, 2020

I can confirm that we previously used CloudFront as the S3 CDN, and we now use Fastly instead. It is ok to remove DigiCertHighAssuranceEVRootCA.pem. 👍🏻

deivid-rodriguez added a commit that referenced this pull request Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs

(cherry picked from commit 9bb7da6)
@dwradcliffe
Copy link
Member

@dwradcliffe dwradcliffe commented Dec 7, 2020

I think there was still a cloudfront domain setup for legacy clients buts it’s probably time to stop supporting that.
👍🏻

deivid-rodriguez added a commit that referenced this pull request Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs

(cherry picked from commit 9bb7da6)
@sonalkr132 sonalkr132 mentioned this pull request Dec 7, 2020
3 of 4 tasks complete
@sonalkr132 sonalkr132 deleted the sonalkr132:update-certs branch Dec 7, 2020
deivid-rodriguez added a commit that referenced this pull request Dec 7, 2020
Add GlobalSign Root CA - R3 cert and remove outdated certs

(cherry picked from commit 9bb7da6)
matzbot pushed a commit to ruby/ruby that referenced this pull request Dec 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Linked issues

Successfully merging this pull request may close these issues.

6 participants