search

jruby / jruby-openssl

JRuby's OpenSSL gem
http://www.jruby.org
Other
47 stars 80 forks source link

Certificate verify failed on GET #229

Closed nonlandi closed 3 years ago

nonlandi commented 3 years ago

We are having issues with certificate verification on calls to storage.yandexcloud.net when using the :net_http adapter. We are forced to use this adapter for other reasons in our implementation.

To reproduce:

require 'faraday'

Faraday.default_adapter = :net_http
Faraday.get "https://storage.yandexcloud.net"

Things we've tried: (1) Verified that our request works with VERIFY_NONE option (2) Verified that the request works with Faraday.default_adapter set to :manticore (in an older Faraday version, which still supported :manticore) (3) Tried to upgrade Bouncy Castle to 1.68 and tried to build jruby-openssl ourselves to possibly include updated root certificates shipped with BC (4) Had no success with specifying the CA certificate bundle using options SSL_CERT_DIR / SSL_CERT_FILE (5) Also happens with JRuby 9.2.16.0

Ubuntu vs. MacOS We can SUCCESSFULLY issue the request with above code when running on MacOS. My machine (as well as our servers) are running Ubuntu.

Some details of the error might be hinted at, by using the doctor.rb script posted in this blog article: https://mislav.net/2013/07/ruby-openssl/ https://github.com/mislav/ssl-tools/blob/master/doctor.rb

bundle exec ruby ./doctor.rb storage.yandexcloud.net
/home/mala/.rbenv/versions/jruby-9.2.14.0/bin/jruby (2.5.7)
JRuby-OpenSSL 0.10.5: /etc/ssl
SSL_CERT_DIR="/etc/ssl/certs"
SSL_CERT_FILE=""

HEAD https://storage.yandexcloud.net:443
opening connection to storage.yandexcloud.net:443...
opened
starting SSL for storage.yandexcloud.net:443...
Conn close because of connect error certificate verify failed
OpenSSL::SSL::SSLError: certificate verify failed

The server presented a certificate that could not be verified:
  subject: /C=PL/O=Unizeto Technologies S.A./OU=Certum Certification Authority/CN=Certum Trusted Network CA
  issuer: /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA
  error code 20: unable to get local issuer certificate
kares commented 3 years ago

We can SUCCESSFULLY issue the request with above code when running on MacOS.

This should confirm the issue is environment specific - usually the Java CA certificates are different on the host. To fully understand what might be missing you should attempt to debug the certificate chain (e.g. using the -J-Djavax.net.debug=all system property).

kares commented 3 years ago

for the record here's JRuby 9.2.19.0 (w jruby-openssl 0.10.7) ruby -v doctor.rb storage.yandexcloud.net :

jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.6+10 on 11.0.6+10 +jit [linux-x86_64]
/opt/local/rvm/rubies/jruby-9.2.19.0/bin/jruby (2.5.8)
JRuby-OpenSSL 0.10.7: /etc/ssl
SSL_CERT_DIR=""
SSL_CERT_FILE=""

HEAD https://storage.yandexcloud.net:443
OK

... yandexcloud might have changed the certificates in the mean time - that's why I was asking for debug output.

Also, please give this a go by updating jruby-openssl to (>=) 0.11.0 and if the issue persist share the outcome.