search

puppetlabs / puppet-runtime

runtime dependencies for Vanagon projects
Apache License 2.0
5 stars 88 forks source link

(PA-6885) Add DigiCert Global Root CA G2 for puppetlabs.net #890

Closed joshcooper closed 3 months ago

joshcooper commented 3 months ago

rubygems commands started failing on Windows due to a recent infrastructure change, because ruby does not integrate with the Windows trust store. Add the DigiCert cert as we've done in the past.

    $ openssl x509 -in resources/files/rubygems/DigiCertGlobalRootG2.pem -fingerprint -sha256 -noout 
    SHA256 Fingerprint=CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F

Vanagon generic builder https://jenkins-platform.delivery.puppetlabs.net/view/vanagon-generic-builder/job/platform_vanagon-generic-builder_vanagon-packaging_generic-builder/3152/

Following the same commands that we run in CI:

$ env PATH="/cygdrive/c/Program Files/Puppet Labs/Puppet/puppet/bin:/cygdrive/c/Program Files/Puppet Labs/Puppet/sys/ruby/bin:${PATH}" cmd /c gem source --add https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
ERROR:  SSL verification error at depth 1: unable to get local issuer certificate (20)
ERROR:  You must add /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 to your local trusted store
Error fetching https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/:
    SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) (https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/specs.4.8.gz)

$ cp DigiCertGlobalRootG2.pem /cygdrive/c/Program\ Files/Puppet\ Labs/Puppet/puppet/lib/ruby/2.7.0/rubygems/ssl_certs/puppetlabs.net/.

$ env PATH="/cygdrive/c/Program Files/Puppet Labs/Puppet/puppet/bin:/cygdrive/c/Program Files/Puppet Labs/Puppet/sys/ruby/bin:${PATH}" cmd /c gem source --add https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/ added to sources

$ env PATH="/cygdrive/c/Program Files/Puppet Labs/Puppet/puppet/bin:/cygdrive/c/Program Files/Puppet Labs/Puppet/sys/ruby/bin:${PATH}" cmd /c gem source --list
*** CURRENT SOURCES ***

https://rubygems.org/
https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/

$ env PATH="/cygdrive/c/Program Files/Puppet Labs/Puppet/puppet/bin:/cygdrive/c/Program Files/Puppet Labs/Puppet/sys/ruby/bin:${PATH}" cmd /c gem install beaker --verbose
HEAD https://rubygems.org/api/v1/dependencies
404 Not Found
GET https://rubygems.org/prerelease_specs.4.8.gz
304 Not Modified
GET https://rubygems.org/specs.4.8.gz
304 Not Modified
HEAD https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/api/v1/dependencies
404 
...
joshcooper commented 3 months ago

Verified this works on Windows:

C:\ProgramFiles64Folder\PuppetLabs\Puppet\puppet\bin>dir ..\lib\ruby\3.2.0\rubygems\ssl_certs\puppetlabs.net
 Volume in drive C is Windows
 Volume Serial Number is 60DE-2A91

 Directory of C:\ProgramFiles64Folder\PuppetLabs\Puppet\puppet\lib\ruby\3.2.0\rubygems\ssl_certs\puppetlabs.net

08/07/2024  08:07 AM    <DIR>          .
08/07/2024  08:07 AM    <DIR>          ..
08/07/2024  07:37 AM             2,094 COMODO_RSA_Certification_Authority.pem
08/07/2024  07:37 AM             1,294 DigiCertGlobalRootG2.pem
08/07/2024  07:37 AM             1,229 GlobalSignRootCA_R3.pem
               3 File(s)          4,617 bytes
               2 Dir(s)  49,134,399,488 bytes free

C:\ProgramFiles64Folder\PuppetLabs\Puppet\puppet\bin>gem source --add https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/
https://artifactory.delivery.puppetlabs.net/artifactory/api/gems/rubygems/ added to sources