algolia/algoliasearch-client-ruby

Gem bundles outdated CRT file

nightpool opened this issue · 3 comments

nightpool commented
  • Algolia Client Version: all versions after 1.1.15
  • Language Version: Ruby 2.5.8

Description

In algoliasearch version 1.1.15, the gem started bundling its own ca-bundle.crt file, ignoring the default OS system certificates. While this was a welcome change at the time (in 2013) because of the poor support across the ruby ecosystem for updating and using CA certificates, it caused a major operational issue this morning when it prevent Algolia from deploying new certificates to production:

image

While bundling a frozen CA cert file was a reasonable decision in 2012, it no longer makes sense given the improved landscape for security updates and increased attention to SSL support. Alternatively, this package should at least provide a configuration option to override the certificate bundle used.

Steps To Reproduce

  • Try to connect to algolia.net this morning between 12:07 UTC and 13:43 UTC, when the edge servers were serving USERTrust RSA Certification Authority as the root of their chain, which has been trusted in Ubuntu cert stores since 2015.
nightpool commented

Furthermore, bundling SSL certs in the gem makes it harder to debug and fix operational issues like these. I had been testing using openssl s_client -connect and curl, which uses the same certs as the system SSL roots. Algolia's own testing and diagnostic tool, https://algolia.com/downloads/diag.sh, does the same.

  • 👍1
asurak commented

Indeed, this loading of certificates is not great. When the certificates are loaded, only the ca-bundle is loaded - https://github.com/algolia/algoliasearch-client-ruby/blob/master/lib/algolia/client.rb#L632

Adding

ssl_config.cert_store.set_default_paths

right before adding the custom cert store would have improved the situation and take the OS cert store into account when available.

It probably would not have avoided the issue with OpenSSL version < 1.1.1 as even with updated OS cert store or the client store, the client would be failing.

Ant-hem commented

hey @nightpool we released a new version of the library v1.27.3 which replaces the expired certificate. Does it solve your issue?

  • 👍2