Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need help with jruby openssl errors #141

Closed
atheiman opened this issue Sep 22, 2017 · 8 comments
Closed

Need help with jruby openssl errors #141

atheiman opened this issue Sep 22, 2017 · 8 comments

Comments

@atheiman
Copy link

atheiman commented Sep 22, 2017
edited
Loading

Ive been doing some work on the ruby_build chef cookbook and having trouble with openssl on jruby-9.1.13.0 on centos 6, 7, and fedora latest.

Jruby seems to install just fine but not have a ca-bundle? Basically, my failing test is checking the following:

/usr/local/ruby/jruby-9.1.13.0/bin/ruby -rnet/http -e "Net::HTTP.get(URI('https://google.com'))"
exit_status should eq 0

If i run that on an instance, I get an error like:

irb(main):003:0> Net::HTTP.get(URI('https://google.com'))
OpenSSL::SSL::SSLError: certificate verify failed
	from org/jruby/ext/openssl/SSLSocket.java:227:in `connect_nonblock'
	from /usr/local/ruby/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:938:in `connect'
	from /usr/local/ruby/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:868:in `do_start'
	from /usr/local/ruby/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:857:in `start'
	from /usr/local/ruby/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:585:in `start'
	from /usr/local/ruby/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:480:in `get_response'
	from /usr/local/ruby/jruby-9.1.7.0/lib/ruby/stdlib/net/http.rb:457:in `get'
	from (irb):3:in `<eval>'
	from org/jruby/RubyKernel.java:1000:in `eval'
	from org/jruby/RubyKernel.java:1298:in `loop'
	from org/jruby/RubyKernel.java:1120:in `catch'
	from org/jruby/RubyKernel.java:1120:in `catch'
	from /usr/local/ruby/jruby-9.1.7.0/bin/jirb:13:in `<main>'

Also, OpenSSL::X509::DEFAULT_CERT_FILE is nil when I launch jirb and require 'openssl', even if I export SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt

Im just looking for anyway to make this test pass, but ideally the user shouldn't have to run a command before ruby to make openssl work

Want to back this issue? Post a bounty on it! We accept bounties via Bountysource.
@atheiman
Copy link
Author

atheiman commented Sep 22, 2017
edited
Loading

Maybe i should try java 7
docker-library/official-images#391 (comment)

Edit: java 7 didnt help

@splattael
Copy link

Hi,

we can reproduce @atheiman's error as well:

$ ruby -rnet/http -e 'p Net::HTTP.get_print(URI.parse("https://google.com/"))'
OpenSSL::SSL::SSLError: certificate verify failed
  connect_nonblock at org/jruby/ext/openssl/SSLSocket.java:228
           connect at /home/panadrwc/.rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:938
          do_start at /home/panadrwc/.rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:868
             start at /home/panadrwc/.rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:857
             start at /home/panadrwc/.rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:585
      get_response at /home/panadrwc/.rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:480
         get_print at /home/panadrwc/.rvm/rubies/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:438
            <main> at -e:1

JRuby

jruby 9.1.13.0 (2.3.3) 2017-09-06 8e1c115 Java HotSpot(TM) 64-Bit Server VM 25.112-b15 on 1.8.0_112-b15 +jit [linux-x86_64]

Java

java version "1.8.0_112"
Java(TM) SE Runtime Environment (build 1.8.0_112-b15)
Java HotSpot(TM) 64-Bit Server VM (build 25.112-b15, mixed mode)

OS

$ cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)

Note: It works on CentOS Linux release 7.3.1611 (Core)

@splattael
Copy link

splattael commented Sep 27, 2017
edited
Loading

It seems that the Centos upgrade lost some certificates in /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem. Downgrading/restoring this bundle helped...

I wonder why it does it work on MRI but not on JRuby... Both, they should use the same bundle file?

Edit: Fixed file name. Thanks @wakkowarner!

@wakkowarner
Copy link

wakkowarner commented Sep 27, 2017
edited
Loading

/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem dropped some SHA1 certificates. But I can't reproduce it with curl --cacert with the newer certificate file...

@atheiman
Copy link
Author

a little more info here, i was just able to get this to work with a different url.

letsencrypt.org uses Issuer: C=US, O=IdenTrust, OU=TrustID Server, CN=TrustID Server CA A52

www.google.com uses Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2

So yes it does seem like there is a change in the certs provided by the ca bundle.

[root@dokken ~]# /usr/local/ruby/jruby-9.1.13.0/bin/ruby -rnet/http -e "Net::HTTP.get(URI('https://www.google.com/'))"
OpenSSL::SSL::SSLError: certificate verify failed
  connect_nonblock at org/jruby/ext/openssl/SSLSocket.java:228
           connect at /usr/local/ruby/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:938
          do_start at /usr/local/ruby/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:868
             start at /usr/local/ruby/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:857
             start at /usr/local/ruby/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:585
      get_response at /usr/local/ruby/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:480
               get at /usr/local/ruby/jruby-9.1.13.0/lib/ruby/stdlib/net/http.rb:457
            <main> at -e:1
[root@dokken ~]# /usr/local/ruby/jruby-9.1.13.0/bin/ruby -rnet/http -e "Net::HTTP.get(URI('https://letsencrypt.org/'))"
[root@dokken ~]# echo $?
0

https://gist.github.com/atheiman/d044bccb4744309a02886bc6190c4ee0

@wakkowarner
Copy link

It's the 1024 bit Equifax Secure CA certificate that was removed from the ca bundle that's causing the problem. Google's GeoTrust certificates are cross signed with that old Equifax cert. See
https://www.mail-archive.com/openssl-dev@openssl.org/msg38674.html
for an explanation.
It looks like jruby is not stopping with validation at the GeoTrust certificate but - unnecessary - trying to validate against the Equifax root as well.

@tmr08c tmr08c mentioned this issue Oct 3, 2017
Closed
@andreaseger
Copy link

Can anyone with knowledge about the insides of jruby-openssl have a look at this and make it work similar to standard openssl?
This is causing quite some issues for us but we do not have the inside knowledge about openssl/jruby-openssl to provide a fix ourselves.

@kares
Copy link
Member

kares commented Apr 10, 2021

closing as it's been confirmed to be a system CA issue

@kares kares closed this as completed Apr 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@splattael @kares @andreaseger @wakkowarner @atheiman