search

faye / faye-websocket-ruby

Standards-compliant WebSocket client and server
Other
1.04k stars 96 forks source link

Trouble verifying Let's Encrypt Long Chain? #137

Closed margueritepd closed 1 year ago

margueritepd commented 1 year ago

Hi there, I am not terribly experienced in websockets, eventmachine or SSL so there is a good chance this ticket is misfiled. I hope I don't waste too much of anyone's time.

It seems as though this library is unable to verify Let's Encrypt certificates when the so-called "long chain" is provided by the server. ("Short" vs "Long" chain is described here: https://community.letsencrypt.org/t/long-default-and-short-alternate-certificate-chains-explained/162526 . The Long Chain includes an expired root certificate, but according to Let's Encrypt, the chain should still validate on modern systems, because the next cert in the chain is often itself installed as a CA.)

I am coming across this because recently Slack changed something with their certificate chain as described here. My hypothesis is that they just began serving the Let's Encrypt long chain.

I have validated it with a program like this:

require 'faye/websocket'
require 'eventmachine'

EM.run {
  url   = ARGV[0]

  ws = Faye::WebSocket::Client.new(url, [],
    :tls        => { verify_peer: true }
  )

  ws.onerror = lambda do |error|
    p [:error, error.message]
  end

  ws.onclose = lambda do |close|
    p [:close, close.code, close.reason]
    EM.stop
  end

  ws.on :open do |event|
    p [:open, ws.headers]
    ws.send('mic check')
  end
}

Here are some sample CLI runs:

$ bundle exec ruby event.rb wss://wss-primary.slack.com
[:error, "Network error: wss://wss-primary.slack.com: Unable to verify the server certificate for 'wss-primary.slack.com'"]
[:close, 1006, ""]
$ bundle exec ruby event.rb wss://demo.piesocket.com   # also serves the long chain
[:error, "Network error: wss://demo.piesocket.com: Unable to verify the server certificate for 'demo.piesocket.com'"]
[:close, 1006, ""]
$ bundle exec ruby event.rb "wss://www.bitmex.com/realtime"  # uses a cloudflare certificate
[:open, {"date"=>"Mon, 20 Mar 2023 22:31:17 GMT", "connection"=>"upgrade", "set-cookie"=>"AWSALBTG=jbgx0BHIvnb3/frr7v4teZFxJmnXj8yxXkSXBLPXB9kVj49n8Tb3omS6BIU5h2kYZfu22YoojJzeoXW5MfE/8eq3lb1zhMqzNCH86MzEG//veAKq34JwA41h51fcXn3+tUq4HrNMWMUQNoAHDQ5d5u+eWeRM8uCs1headsMATtve; Expires=Mon, 27 Mar 2023 22:31:17 GMT; Path=/, AWSALBTGCORS=jbgx0BHIvnb3/frr7v4teZFxJmnXj8yxXkSXBLPXB9kVj49n8Tb3omS6BIU5h2kYZfu22YoojJzeoXW5MfE/8eq3lb1zhMqzNCH86MzEG//veAKq34JwA41h51fcXn3+tUq4HrNMWMUQNoAHDQ5d5u+eWeRM8uCs1headsMATtve; Expires=Mon, 27 Mar 2023 22:31:17 GMT; Path=/; SameSite=None; Secure, __cf_bm=s70OutM9nBcbwqE53z8VzRiJuauIodAGlK5P0qd6Iow-1679351477-0-AXHZXDi3fwCsXWvuIeO+Lb+V8YyrOBMVwRFBxPkrSkL6QazNDy0jHp/B1TOxmVvhZnZVZE/n3Kb4bmq2+NI/RL4=; path=/; expires=Mon, 20-Mar-23 23:01:17 GMT; domain=.bitmex.com; HttpOnly; Secure", "upgrade"=>"websocket", "sec-websocket-accept"=>"SNcq0BTl8QFbBtWyB/RfgswadcA=", "sec-websocket-version"=>"13", "websocket-server"=>"uWebSockets", "cf-cache-status"=>"DYNAMIC", "server"=>"cloudflare", "cf-ray"=>"7ab1678e380ca214-YYZ", "alt-svc"=>"h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400"}]

When I inspect the certificate chain of the failing runs, here's what I end up with:

cert chain for demo.piesocket.com ``` #, issuer=#, serial=#, not_before=2021-01-20 19:14:03 UTC, not_after=2024-09-30 18:14:03 UTC> -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -----END CERTIFICATE----- #, issuer=#, serial=#, not_before=2020-09-04 00:00:00 UTC, not_after=2025-09-15 16:00:00 UTC> -----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX nLRbwHOoq7hHwg== -----END CERTIFICATE----- #, issuer=#, serial=#, not_before=2023-02-27 02:18:05 UTC, not_after=2023-05-28 02:18:04 UTC> -----BEGIN CERTIFICATE----- MIIFJDCCBAygAwIBAgISA0yZvXi8msUMJ2yt57qZFBrRMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMzAyMjcwMjE4MDVaFw0yMzA1MjgwMjE4MDRaMBoxGDAWBgNVBAMM DyoucGllc29ja2V0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ALcJhbmal+Oji5kiOEJekNXTNFTDt5PBbJSGIMp40Oj8MJ0+ZXAt9jEX0kUDxGbf 7kJCg8mzY5ovIwDdUdzVVaBoBtPeSwEuwa5aWdvOJkDq382M7k2VPqF4dR7+sGNH 392+8D5Nf2x7G/67PunvQm6CUqdHetOISm5Heg0EHt+nhQ8FzBt8kD++WU/PrCQR OCXjujIkYw43+J7qdesnpik2Znp7uzFwQ4moOifaOX6OkLTMNdhs9o6we1CvkDpC +RmU521IKytGftMdkQZ7GXNRTahcnTvptp8HoNy/SgW098eiijfZpyivPDPIFFAY 6XqVKqn7RTTWTw0u54XLReUCAwEAAaOCAkowggJGMA4GA1UdDwEB/wQEAwIFoDAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV HQ4EFgQUx9QInZiPczKjAmK0pG4YRCGKFT8wHwYDVR0jBBgwFoAUFC6zF7dYVsuu UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y Zy8wGgYDVR0RBBMwEYIPKi5waWVzb2NrZXQuY29tMEwGA1UdIARFMEMwCAYGZ4EM AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0 c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHYAtz77JN+cTbp1 8jnFulj0bF38Qs96nzXEnh0JgSXttJkAAAGGkOCfQAAABAMARzBFAiEA/BoDo1le ZegN4g7QabgqTDIn6UN4KVw+bMROW+wWKZoCIEXnWAvDvv0XeTYgbFYPt1+91lKU iPsS3z4WZms3Dd++AHYArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooA AAGGkOCf6wAABAMARzBFAiBOZ29CCDuHsgrxPVKN+fFOWk0dfONd2nns+uxkaZsu wQIhAMF9LdwCTyrSm+Lkf0z2mYvG++VzHQADpydoLgA5YPXfMA0GCSqGSIb3DQEB CwUAA4IBAQCWdWRavPR3j0QrQcv/R5MsfjhnUd+PAmAvHdgoogfdOXyyuh4Qr/ce HuSOYJDDp3Xj56ttMr206vTpPB5+z9SY4rnCATGh/0IywlDlZd7xHuPFU1e4DTy1 puGzT4JZ26rx2bJCP5xw40IWCq2q5ks/oPPnAh5AH3nFMJNgvaKmzzohKOmEfJRd kb63MhKQfwkrhRYBE4NPYafU7a46mZ+/YRjKC0WiHKKLuEx7agtybrfcspORLYaH Q2bkX40unb0T4Zi4ylvHdvHDTQ97DigXJWeJofT6dVQ7ovzizw4//wGfg0jRBr8m 5FmQ7WVMWtmLZibEVCxqzOpotbDe/3Sm -----END CERTIFICATE----- ```
cert chain for wss-primary.slack.com ``` #, issuer=#, serial=#, not_before=2021-01-20 19:14:03 UTC, not_after=2024-09-30 18:14:03 UTC> -----BEGIN CERTIFICATE----- MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK 4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5 bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4 FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1 c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx +tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC 5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW 9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5 -----END CERTIFICATE----- #, issuer=#, serial=#, not_before=2020-09-04 00:00:00 UTC, not_after=2025-09-15 16:00:00 UTC> -----BEGIN CERTIFICATE----- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4 avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2 yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+ HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX nLRbwHOoq7hHwg== -----END CERTIFICATE----- #, issuer=#, serial=#, not_before=2023-03-14 05:17:13 UTC, not_after=2023-06-12 05:17:12 UTC> -----BEGIN CERTIFICATE----- MIIFJTCCBA2gAwIBAgISBHu6bO4huNAiFhYpQhlVsUPaMA0GCSqGSIb3DQEBCwUA MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD EwJSMzAeFw0yMzAzMTQwNTE3MTNaFw0yMzA2MTIwNTE3MTJaMBQxEjAQBgNVBAMT CXNsYWNrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN2rqHkC HJkqERgVnhsGalMy+W5cFGhyWPVkPknNmLvYnznWxny7PQRmucedAjmaXVGFBpRo kT6LDFJJGpc9IDcH3UxI/0lWFsh/IF6PTlJ5n14rKFDqnLyo+/JfHhSK4WsYSmfX FkQSeb/GG3so3Ttnqj1lPYsQEc4OMXIHU07pNYAzL59z0kpXkDHUqwQ9OzJ4xAj0 JJyoEXntKlF0s06YLqCKLCpZNRJpJMufzcgA1BuoCf+FR9zb2JiIlCTbU+ykF2em RUzya6pZkpyWeeP+IGTzGQ2fYb/3P+h9RTGdGhRZrlgEPfJd2Vwkeycfi77A61He Qw9W6U44/dk1KjsCAwEAAaOCAlEwggJNMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU mGdj+1lAmdcO20aIUo7FVjvdq5UwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+v nYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5s ZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wIQYD VR0RBBowGIILKi5zbGFjay5jb22CCXNsYWNrLmNvbTBMBgNVHSAERTBDMAgGBmeB DAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl dHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3ALc++yTfnE26 dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABht7EAvsAAAQDAEgwRgIhAOEMiIau KO0C92nvDk5fqpyat2lQg0W5Q224IFDCgZ1aAiEAyfcZUzWUf6Mp4dg9kT5kkjbb tfHa+VRhqyPyZuhfqnsAdQDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9bQa9 bgAAAYbexALxAAAEAwBGMEQCIB/kYtGMs/05ePVmI/IGgGJPiUgSSEcsjsPL8TgQ h8HqAiA6W6aoujt6SbOihAwmz04WqD5xtn6Wss7lNsUmb0pp+TANBgkqhkiG9w0B AQsFAAOCAQEAR/qMA3MjQygHPcZL9HDFDX2qGx1yWoBJhfn97z9B3XsSCrGP647f nIVDxOqNXskjbYZPxjGW5ny8Gqyn0gF98n7BZx40PfKJdhhuo8vNpWDThAvQkbdc mZkiB/HhKww0vELOXRH0AerLiWMN8uuI1C43P+P8l/woM/1fccAiWlPearTMcsG4 ufZ8HldSFVmv/0BGZj9GaW89bydHy6J1xo4QP1nEVu+a0u2zans47HkhqmmDjTpf ThSdUEk2rnPicNgLKMBek0vkq++F1LEwGC0UEkL1CZNo8nRzKG12UJku+B4agZ4t cXelW9Qj0aUGT49sHRur67plfIxxg8eRGA== -----END CERTIFICATE----- ```

As you can see the failing servers are serving the same certificate chain.

I don't know of a websocket endpoint serving the let's encrypt short chain to be able to compare.

Wondering if you are able to reproduce and if you have any more insight into the matter.

Thank you!

jcoglan commented 1 year ago

Thanks for the thorough diagnostic information here. I believe that https://github.com/faye/faye-websocket-ruby/commit/d9428fae72240bfa8b98627a0414524814b92f22 fixes this problem, could you confirm?

margueritepd commented 1 year ago

Ooo thank you so much! Preliminary testing is indicating this is working. I will report back when I try this fix on our main tool that has been broken these last few days.

margueritepd commented 1 year ago

This looks to be working! Thank you so much!!!

jcoglan commented 1 year ago

Thanks for testing, this has now been release in version 0.11.2.