search

mileszs / wicked_pdf

PDF generator (from HTML) plugin for Ruby on Rails
http://www.mileszs.com/wicked-pdf-plugin
MIT License
3.54k stars 645 forks source link

ActionView::Template::Error: SSL_connect returned=1 errno=0 state=error: certificate verify failed #989

Open jpmermoz opened 3 years ago

jpmermoz commented 3 years ago

Issue description

Hi there,

Since the R3 expired certificate from September 30th, my Wickedpdf stopped working. It seems I cannot call wicked_pdf_stylesheet_link_tag, due to a certificate error.

Here is the stacktrace:

ActionView::Template::Error: SSL_connect returned=1 errno=0 state=error: certificate verify failed from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/protocol.rb:44:inconnect_nonblock' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/protocol.rb:44:in ssl_socket_connect' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:928:inconnect' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:863:in do_start' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:852:instart' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:584:in start' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:479:inget_response' from /usr/local/rvm/rubies/ruby-2.3.6/lib/ruby/2.3.0/net/http.rb:456:in get' from /usr/local/rvm/gems/ruby-2.3.6/gems/wicked_pdf-2.1.0/lib/wicked_pdf/wicked_pdf_helper/assets.rb:159:inread_from_uri' from /usr/local/rvm/gems/ruby-2.3.6/gems/wicked_pdf-2.1.0/lib/wicked_pdf/wicked_pdf_helper/assets.rb:149:in read_asset' from /usr/local/rvm/gems/ruby-2.3.6/gems/wicked_pdf-2.1.0/lib/wicked_pdf/wicked_pdf_helper/assets.rb:20:inblock in wicked_pdf_stylesheet_link_tag' from /usr/local/rvm/gems/ruby-2.3.6/gems/wicked_pdf-2.1.0/lib/wicked_pdf/wicked_pdf_helper/assets.rb:18:in collect' from /usr/local/rvm/gems/ruby-2.3.6/gems/wicked_pdf-2.1.0/lib/wicked_pdf/wicked_pdf_helper/assets.rb:18:inwicked_pdf_stylesheet_link_tag' from /home/app/app/views/layouts/pdf.html.erb:5:in _app_views_layouts_pdf_html_erb__4356050262088495231_58899600' from /usr/local/rvm/gems/ruby-2.3.6/gems/actionview-4.2.0/lib/action_view/template.rb:145:inblock in render' from /usr/local/rvm/gems/ruby-2.3.6/gems/activesupport-4.2.0/lib/active_support/notifications.rb:166:in instrument'

Expected or desired behavior

Not getting any certificate errors.

System specifications

Ubuntu 16.04 Docker image: phusion/passenger-ruby23:0.9.29

wicked_pdf gem version (output of cat Gemfile.lock | grep wicked_pdf):

wicked_pdf (2.1.0)

wkhtmltopdf version (output of wkhtmltopdf --version):

whtmltopdf provider gem and version if one is used:

Using gem 'wkhtmltopdf-binary'

platform/distribution and version (e.g. Windows 10 / Ubuntu 16.04 / Heroku cedar):

Ubuntu 16.04

tdutreui commented 3 years ago

Hi, Same problem here @jpmermoz Did you find a workaround?

jpmermoz commented 3 years ago

Hi, Same problem here @jpmermoz Did you find a workaround?

Yes, I modified the Dockerfile in order to remove the expired certificate:

FROM phusion/passenger-ruby23:0.9.29

Make a backup of your sources.list

RUN mv /etc/apt/sources.list.d /etc/apt/sources.list.d.bak

Install these 2 packages

RUN apt-get install libgnutls30 ca-certificates

Restore sources.list

RUN mv /etc/apt/sources.list.d.bak /etc/apt/sources.list.d

Rest of dockerfile

....

Fix R3 expired certificate

RUN rm /etc/ssl/certs/2e5ac55d.0 RUN rm /etc/ssl/certs/12d55845.0 RUN rm /etc/ssl/certs/DST_Root_CA_X3.pem RUN sed -i '/mozilla\/DST_Root_CA_X3.crt/d' /etc/ca-certificates.conf RUN update-ca-certificates

tdutreui commented 3 years ago

Thank you @jpmermoz it worked !

unixmonkey commented 3 years ago

Is this expired certificate part of wicked_pdf, wkhtmltopdf, or Ubuntu linux? Which Dockerfile did you edit, one related to deploying your specific application?

jpmermoz commented 3 years ago

Is this expired certificate part of wicked_pdf, wkhtmltopdf, or Ubuntu linux? Which Dockerfile did you edit, one related to deploying your specific application?

I think the issue is part of Ubuntu 16.04. Right now I'm using this image based on that version of Ubuntu: phusion/passenger-ruby23:0.9.29

tdutreui commented 3 years ago

I'm using Debian 8.9 Jessie and had the issue as well. Worth to note that Ubuntu is based on Debian thought. The issue is part of the system configuration. Managing your certificates is a standard sysadmin maintenance operation

liuzhenangel commented 3 years ago

Hi, Same problem here @jpmermoz Did you find a workaround?

Yes, I modified the Dockerfile in order to remove the expired certificate:

FROM phusion/passenger-ruby23:0.9.29

Make a backup of your sources.list

RUN mv /etc/apt/sources.list.d /etc/apt/sources.list.d.bak

Install these 2 packages

RUN apt-get install libgnutls30 ca-certificates

Restore sources.list

RUN mv /etc/apt/sources.list.d.bak /etc/apt/sources.list.d

Rest of dockerfile

....

Fix R3 expired certificate

RUN rm /etc/ssl/certs/2e5ac55d.0 RUN rm /etc/ssl/certs/12d55845.0 RUN rm /etc/ssl/certs/DST_Root_CA_X3.pem RUN sed -i '/mozilla/DST_Root_CA_X3.crt/d' /etc/ca-certificates.conf RUN update-ca-certificates

Same problem here, it not work

liuzhenangel commented 3 years ago

Exception>>> ActionView::Template::Error: "SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate has expired)"

Backtrace( Application Only, 5 below )>>> app/helpers/wicked_pdf_helper.rb:11:in `pdf_stylesheet_pack_tag'

No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.1 LTS Release: 16.04 Codename: xenial

ruby 2.7.2

wicked_pdf (2.1.0)

albertodega commented 3 years ago

Same issue here. There is a strange behaviour in wicked_pdf_stylesheet_link_tag: considering that the asset is locally present(also in the manifest), ActionView::Base.new.wicked_pdf_stylesheet_link_tag "asset_name" works, and returns the actual asset, while wicked_pdf_stylesheet_link_tag "asset_name" raises the stated error. is it possible that net/http uses a different pem chain still affected by the X3 certificate expiration? and why does the first call works?

gregawoods commented 3 years ago

Hi there. We are experiencing the same issue in one of our apps. We generate a PDF of an invoice and send it out as an email attachment. Recently this has started failing with the error SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (certificate has expired).

The stack trace points to a call to wicked_pdf_stylesheet_link_tag, which if commented out, resolves the problem.

Now here's where things get stranger: This issue only happens when we try to send it over email. We are using WickedPdf.new.pdf_from_string to generate the PDF and attach it.

We also have a view in the app that the user can click on to see the invoice on demand. This method goes through a rails controller and renders out using render pdf:. This view, currently, is working perfectly fine.

I'm completely perplexed as to why one way works and the other doesn't.

unixmonkey commented 3 years ago

@gregawoods

The stack trace points to a call to wicked_pdf_stylesheet_link_tag, which if commented out, resolves the problem.

Is that specific stylesheet being served from a domain with an expired certificate?

Now here's where things get stranger: This issue only happens when we try to send it over email. We are using WickedPdf.new.pdf_from_string to generate the PDF and attach it.

I'm completely perplexed as to why one way works and the other doesn't.

Are emails processed and sent from a different server than the app itself is deployed on? Recently the Ubuntu system SSL certs expired. Maybe they got updated on the web servers and not the job servers?

tdutreui commented 3 years ago

Yes it could be something like that. If you use deliver_later, could you try to send your email with deliver_now ? The gem is a wrapper to a program that generates the PDF, so maybe in a request context (i.e in the controller) the asset path is given as a filepath but outside it as an https url ?

Regardless the exact understanding of the bug, the root cause is probably the same as ours : did you check for the certs and config files mentionned by jpmermoz ?

gregawoods commented 3 years ago
  1. The stylesheet is local (= wicked_pdf_stylesheet_link_tag 'pdf/application').
  2. Email processing happens on the same server that the application runs on.
If you use deliver_later, could you try to send your email with deliver_now ?

In fact, I don't have to call either delivery method. Simply calling the mailer (eg: InvoiceMailer.foo(x) is enough to trigger the error. I can replicate this much in rails console.

Now, this makes some sense when I think about the fact that this is more about email rendering than it is about email delivery itself. Thus I come back to some apparent difference in using pdf_from_string versus render pdf:.

unixmonkey commented 3 years ago

Now, this makes some sense when I think about the fact that this is more about email rendering than it is about email delivery itself. Thus I come back to some apparent difference in using pdf_from_string versus render pdf:.

They are a little different. pdf_from_string takes render arguments as the second (optional) argument, and assumes the HTML being rendered is already complete.

You might want to compare what you are passing to pdf_from_string vs the HTML you get using render pdf: 'something', show_as_html: true.

Feel free to bundle open the wicked_pdf gem and place debugger breakpoints around also.

gregawoods commented 3 years ago

Ah, I just figured something out. I have set config.action_mailer.asset_host = 'https://my-hostname-here.com in my production environment.

This, I suspect, is causing = wicked_pdf_stylesheet_link_tag 'pdf/application' to try and pull the css over http rather than treating like a local file. Interesting!

That at least explains why it was acting different for me.