Open sachingade20 opened 2 years ago
@sachingade20 do you have ISRG Root X1
in your trust store?
Yes with OpenSSL version 1.1.1d and ca-certificates i already have X1 in my trust store still it fails, it work for ruby docker images but only fails jruby docker images, something related to jruby-openssl but not sure,
Experiencing a similar issue. Getting bundle install failures for some gem hosts that are effected due to the expired root cert. I think rebuilding this image will solve the problem since it was built before the expiry happened.
It come from here and the intermediate CA DST_Root_CA_X3.pem
it is expired since September 3.
https://github.com/jruby/jruby-openssl/issues/236
Adding new jruby-ssl version
gem install jruby-openssl --version 0.11.0.cr1
This snippet works works
require 'openssl'
puts JOpenSSL::VERSION if defined? JRUBY_VERSION
require 'net/http'
puts Net::HTTP.get_response(URI('https://helloworld.letsencrypt.org'))
I think next version of Jruby will fix this as as jruby-openssl is a dependency. In this jruby-ssl patch they are trusting top level CA
I think this is fixed in more recent images since we have updated jruby-openssl. Could someone confirm this?
I tested using the JDK11 Dockerfile and received the following (using same test as above):
❯ docker exec -it 442451cc5b65c514abf2277be7434570ffc7b6eccbd7e26028bdaa07a640a258 /bin/sh
# ruby -v
jruby 9.3.4.0 (2.6.8) 2022-03-23 eff48c1ebf OpenJDK 64-Bit Server VM 11.0.14.1+1 on 11.0.14.1+1 +jit [aarch64-linux]
irb(main):001:0> require 'openssl'
irb(main):002:0> puts JOpenSSL::VERSION if defined? JRUBY_VERSION
0.12.2
irb(main):003:0> require 'net/http'
irb(main):004:0> puts Net::HTTP.get_response(URI('https://helloworld.letsencrypt.org'))
#<Net::HTTPOK:0x71d0b8a4>
I tried the same on my M1 Macbook using 9.3.4.0 installed via rvm and got the same result:
❯ ruby -v
jruby 9.3.4.0 (2.6.8) 2022-03-23 eff48c1ebf OpenJDK 64-Bit Server VM 11.0.14.1+1-LTS on 11.0.14.1+1-LTS +jit [arm64-darwin]
We are getting the below issue when doing bundle install with jruby today since the root CA is expired. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ https://community.letsencrypt.org/t/help-thread-for-dst-root-ca-x3-expiration-september-2021/149190
There is a chance you are experiencing a man-in-the-middle attack, but most likely your system doesn't have the CA certificates needed for verification. For information about OpenSSL certificates, see http://bit.ly/ruby-ssl. To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.
So basically it doesn't trust the first cert it finds in the chain even tho it is in the keystore. DST Root CA X3 is not there, just like in the OS store. If we add it to the key store, we are getting the below error.I have tested against latest jruby docker image as well still the same
Can you Please help how to resolve this?