Open alexskr opened 2 years ago
a similar problem exists in ncbo_cron when ontology is pulled from a domain which uses letsencrypt TLS cert.
a temporary fix for the API/ncbo_cron systems is done with overwriting/symlinking cacert.pem file in httpdclient gem with the system ca cert
ln -fs /etc/pki/tls/cert.pem $app_path/vendor/bundle/ruby/2.6.0/gems/httpclient-2.8.3/lib/httpclient/cacert.pem
I looked at where the httpclient transitive dependency is coming from in our stack. The ontologies_api project uses an old version of the google-api-client gem (0.10.3 from March of 2017). Upgrading to the latest google-api-client won't help - it still depends on the same version of httpclient, which doesn't appear to be maintained anymore.
The same dependency structure exists in the ncbo_cron project.
then we should switch to the modern google ruby client https://github.com/googleapis/google-cloud-ruby
Seeing the following errors in the UI logs in prod/stage:
Let's Encrypt TDS Root CA X3 cert expired on the same date which is why app started to fail. https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/
UI servers run on CentOS 7 and ca-certificates package is 2021.2.50-72 which includes updated root cert for letsencrypt which means that application is not using OS root ca but an outdated bundled-in cert somewhere.
a work around on CentOS 7 is to add
ENV['SSL_CERT_FILE'] = '/etc/pki/tls/cert.pem'
toconfig/bioportal_config_<env>.rb
However, this is not an ideal solution.