-
-
Notifications
You must be signed in to change notification settings - Fork 925
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JRuby + bundler + Wildcard SSL cert #4094
Comments
Explicitly added the CA cert retrieved by querying the server directly and still the same error.
|
With some additional debugging via
|
Again, my suspicion is that the issue is related to how the Java SSL negotiation handles wildcard certs / how Apache responds when serving a host with a wildcard cert. lightbody/browsermob-proxy#117 is another project that seemed to have the same issue, along with some kind of fallback. I'll investigate if there's anything I can do server-side in the meantime, but this seems like a problem with more than just my site(s). |
Ok, to add some more info to this long issue, after reading a bit and some experimenting, it seems that part of the issue is with my Apache configuration. I made some assumptions about wildcard certs, default vhosts, and CNAMEs that, while they work for actual OpenSSL hosts, behave differently for Java clients. By adding the CNAME to the server aliases, I was able to move on to a different (but still SSL-related and unique to Java / JRuby) error: Before reading the massive trace, this email thread seems to have the exact same issue at a pure-Java level with a proposed workaround (not sure if it is relevant): And another example on a pure-Java level: https://community.oracle.com/thread/3803053 Here's the relevant part of the error: Here's the full stack trace (only the 4th retry shown):
|
Tried with 9.1.4.0 just to test. Here is a very simple test that demonstrates the problem:
|
Environment
Provide at least:
Nothing special in JRUBY_OPTS, though I did have to create a Java keystore for SSL, so I set
export SSL_CERT_FILE=~/.keystore
where the keystore was created from the system cacerts.pem file (from curl). Without this, I got a different error ofOpenSSL::X509::StoreError: setting default path failed: Invalid keystore format
Other relevant info you may wish to add:
bundle install
to install gems. Gemfile is pretty standard, though I'm including one gem from a private host behind an Apache SSL proxy. This proxy has a wildcard cert which triggers Java to occasionally through SNI-related exceptions. For other Java apps, I've added-Djsse.enableSNIExtension=false
, though adding this either using-J
orJRUBY_OPTS
only yields yet a different exception related to SSL. Will post that exception if necessary / helpful.Expected Behavior
bundle install
behaves the same as usingruby-2.3.1
and works appropriately.Actual Behavior
The cert works fine with
curl
andopenssl s_client
.The text was updated successfully, but these errors were encountered: