Contribsys repo intermediary cert expired - bundle install fails with Could not verify the SSL certificate for https://enterprise.contribsys.com/

[mic-kul]

Bundle install fails with:

Could not verify the SSL certificate for https://enterprise.contribsys.com/.
There is a chance you are experiencing a man-in-the-middle attack, but most
likely your system doesn't have the CA certificates needed for verification. For
information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect
without using SSL, edit your Gemfile sources and change 'https' to 'http'.

Visiting https://enterprise.contribsys.com/ in Firefox doesn't trigger the error but checking SSLLabs output reveals the issue:
https://www.ssllabs.com/ssltest/analyze.html?d=enterprise.contribsys.com

One of the intermediary certs supplied as part of the bundle, expired less than hour ago:

Subject | USERTrust RSA Certification Authority  			 			
Fingerprint SHA256:  1a5174980a294a528a110726d5855650266c48d9883bea692b67b6d726da98c5             Pin SHA256: x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=
-- | --
Valid until | Sat, 30 May 2020 10:48:38 UTC (expired 59 minutes and 31 seconds ago)   EXPIRED

https://www.ssllabs.com/ssltest/analyze.html?d=enterprise.contribsys.com

[mperham]

Yep, https://www.ssl.com/faqs/i-noticed-that-the-addtrust-external-ca-root-is-expiring-soon-will-i-be-affected/

[mperham]

Rubygems/Openssl is an "older device" that is affected.

[mperham]

Should work now. There were two intermediate certs to choose from, I removed the expired one from the bundle.

[stevenou]

i am experiencing this problem today. is there something i need to change on my end or was the fix from 2 days ago supposed to work transparently? thanks!

[aristocrates]

i am experiencing this problem today. is there something i need to change on my end or was the fix from 2 days ago supposed to work transparently? thanks!

@stevenou This may be due to out of date ca-certificates on the machine you are running bundle install on. Updating these fixed the issue for me today.

E.g. on ubuntu (trusty):

sudo apt update && sudo apt install ca-certificates

[mperham]

@aristocrates Thank you for the expert solution!

[mperham]

And for others on macOS, you should be able to do this at the command line:

curl -v -v -v https://enterprise.contribsys.com

If that fails, you'll need to update the openssl package to get the latest root certs. You'll see this line in the curl output:

* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none

That cert.pem file holds your trusted roots for use by curl (and ruby, using the OpenSSL bindings). My /etc/ssl looks like this:

$ ls -l /etc/ssl
total 224
-rw-r--r--  1 root  wheel  196928 Mar 21  2019 cert.pem
drwxr-xr-x  2 root  wheel      64 Aug 17  2018 certs
-rw-r--r--  1 root  wheel     745 Aug 17  2018 openssl.cnf
-rw-r--r--  1 root  wheel    1006 Aug 17  2018 x509v3.cnf

I'm running macOS 10.14.6.