Ubuntu 22.04 server has newer SSL which seems to break slack-ruby-client

[slithernix]

Hi, I just updated to 22.04 and noticed a script I have to send myself Slack messages is broken. This is the error message I get:

error: SSL_CTX_load_verify_file: system lib

when running:

/usr/local/bin/slack chat postMessage '--text=helloworld' --channel=@jmcdonagh

Running it with -d doesn't seem to show much.

[dblock]

~Is this https://github.com/slack-ruby/slack-ruby-client/pull/416? Try with HEAD, does it fix your problem? The next version 2.0 has yet to be released.~

Google comes up with https://deanpcmad.com/2022/installing-older-ruby-versions-on-ubuntu-22-04/, which basically says to use Ruby 3.0 (slack-ruby-client works with that too) or install an older version of the libs.

[slithernix]

that'll probably do the trick and is what I was planning on doing if an updated release isn't coming soon.

[slithernix]

Just to add though, I am using ruby 3.0:

ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux-gnu]

[dblock]

Were you able to fix this @jmcdonagh? I would try with a newer Ruby first and then debug if that doesn't work.

[dylanz]

I ran into this issue with Ruby 3.1.2, the error coming from Faraday. This was a deployment on Heroku's 22 stack (which runs Ubuntu 22). I wasn't able to resolve the issue so downgraded to Heroku 20 and the issue went away.

[dblock]

Something similar was reported in https://github.com/ruby-grape/grape/issues/2283. Downgrading is not really a fix, so let's keep this open until someone can figure out how to properly address this. Maybe there's an upstream issue on Faraday somewhere?

[slithernix]

@dblock i was not- i am inundated with work, three jobs, and this won't be a "real" problem for me for at least another month at minimum.

[vseguin]

I have stumbled upon this https://stackoverflow.com/questions/11703679/opensslsslsslerror-on-heroku - it's quite a hack (and should not probably be bundled in slack-ruby-client) - but it seems to "solve" the problem. Another suggestion here https://github.com/googleapis/google-api-ruby-client/issues/253

connection.ssl.verify_mode = OpenSSL::SSL::VERIFY_NONE which is not great either...

[vseguin]

@jmcdonagh @dblock I confirm that https://github.com/slack-ruby/slack-ruby-client/issues/415 fixes it (or setting nil to the ca_path + ca_file) - it seems it isn't released yet though, would it be possible to get a release soon? 👼

[dblock]

I think we want to merge https://github.com/slack-ruby/slack-ruby-client/pull/423 first, but otherwise hoping that @kstole will want to do a release.

[calebhaye]

+1 for a release, still broken

[dblock]

@calebhaye 2.0 was released a while ago, does it not work for you?

[tsrivishnu]

For anyone who lands on this:

The cause for this is that OpenSSL::X509::DEFAULT_CERT_FILE returns "/usr/lib/ssl/cert.pem" which doesn't exist. Slack ruby client sets the defaults to use this constant. See: https://github.com/slack-ruby/slack-ruby-client/issues/415 and https://github.com/slack-ruby/slack-ruby-client/pull/416.

You could simply upgrade to the latest version and this will be resolved. Version 2.0.0 seem to be fixing this. See: https://github.com/slack-ruby/slack-ruby-client/pull/416.

However, if you are unable to upgrade, there are two options to resolve this correctly:

1. Initialise the Slack::Web::Client with ca_cert and ca_path set to nil. See: https://github.com/slack-ruby/slack-ruby-client/issues/415

    Slack::Web::Client.new(token: 'abc', ca_file: nil, ca_path: nil).auth_test

2. Or, on the host machine, symlink /etc/ssl/certs/ca-certificates.crt to /usr/lib/ssl/cert.pem:

   $ ln -s /etc/ssl/certs/ca-certificates.crt /usr/lib/ssl/cert.pem

[dblock]

Moving to a newer version of slack-ruby-client is also an option, correct?

[tsrivishnu]

@dblock Yes, that is also an option. I have updated the comment with that.