Open nroose opened 1 month ago
Running into the same problem after upgrade to ruby:3.3.3-alpine3.20
Curl::Err::SSLCaertBadFile: Problem with the SSL CA cert (path? access rights?): error setting certificate file: "/etc/ssl/certs/ca-certificates.crt"
from /work/vendor/bundle/ruby/3.3.0/gems/curb-1.0.5/lib/curl/easy.rb:80:in `perform'
I'm experiencing the same problem:
require 'curb'
Curl::Easy.perform("https://www.enroute.mobi/") do |http|
http.verbose = true
end
gives this output:
* Host www.enroute.mobi:443 was resolved.
* IPv6: 2001:4b98:e01::38
* IPv4: 217.70.184.56
* Trying [2001:4b98:e01::38]:443...
* Connected to www.enroute.mobi (2001:4b98:e01::38) port 443
* GnuTLS ciphers: NORMAL:-ARCFOUR-128:-CTYPE-ALL:+CTYPE-X509:-VERS-SSL3.0
* error reading ca cert file "/etc/ssl/certs/ca-certificates.crt" (Error while reading file.)
* error reading ca cert file "/etc/ssl/certs/ca-certificates.crt" (Error while reading file.)
* Closing connection
A small strace provides this interesting information:
834810 openat(AT_FDCWD, "\"/etc/ssl/certs/ca-certificates.crt\"", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
834810 openat(AT_FDCWD, "\"/etc/ssl/certs/ca-certificates.crt\"", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
The extra quotes seem to be the root cause of the problem.
When cacert is specified with the same file, the correct file is opened and the request is successful:
require 'curb'
Curl::Easy.perform("https://www.enroute.mobi/dummy") do |http|
http.verbose = true
http.cacert = "/etc/ssl/certs/ca-certificates.crt"
end
835496 openat(AT_FDCWD, "/etc/ssl/certs/ca-certificates.crt", O_RDONLY|O_CLOEXEC) = 10
With libcurl 8.8.0, curl-config --ca
outputs quotes:
➜ curl-config --version
libcurl 8.8.0
➜ curl-config --ca
"/etc/ssl/certs/ca-certificates.crt"
With a previous version, quotes are absent:
➜ docker run --rm -it debian:stable
root@85ab7a0efe7c:/# apt update && apt install -y libcurl4-openssl-dev
[...]
root@85ab7a0efe7c:/# curl-config --version
libcurl 7.88.1
root@85ab7a0efe7c:/# curl-config --ca
/etc/ssl/certs/ca-certificates.crt
Wonder if the double quote PR helps here?
Seems as though it always gets a ca-certificates error with the latest libcurl And that is the only one supported by Alpine 3.20. Any chance you can do an update or tell us a way to get the ca certs to work?